Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you include a varying number of a Splunk Search's field values in an email alert?

samsam48
Explorer
‎09-04-2018 06:17 AM

I have a Splunk Search that returns events that have an alert-type field value of "Severe", "Moderate", and "light". Each event also has a corresponding description field description outlining what happened. Within the email alert that I set up, how can I group these events by alert type and then apply logic to display how a certain number of their corresponding descriptions? For example, if the "Severe" group has less than 5 results, display all 5 descriptions in the email. However, if the "Moderate" group has over 300 results, don't bother showing any descriptions.

Also, is there an easy way to get counts of these events within the email body logic- like printing to the email body that there were X number of results for each type? Or are these in the search itself?

0 Karma
Reply

renjith_nair
Legend
‎09-04-2018 06:41 AM

@samsam48,

If you have definite number for each alert-type for e.g. 5 then you could filter it in the main search itself.

"your search"|fields alert-type,description|eventstats count by  alert-type
|eval description=if(count>5,"",description)|stats values(description) as description,values(count) as count by alert-type

Run anywhere example

index=_*|fields source,sourcetype|eventstats count by sourcetype|table source,sourcetype,count
|eval source=if(count>100," ",source)|stats values(source) as source,values(count) as count by sourcetype
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

renjith_nair
Legend
‎09-06-2018 07:39 AM

@samsam48, did it help you ? If yes, then I would convert it as answer and then you can accept it to close this thread.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...