Splunk Search

How to save the output of a stats search to send raw events in alert emails, not a chart or table?

ashutoshsharma1
Path Finder

How to convert the output of a search with stats command that's generating a table as output to events?

Thus send Events as email alerts, not a chart/table

0 Karma
1 Solution

ashutoshsharma1
Path Finder

I will answer my own question here finally found it.

search term | case () | streamstats fieldnames ,_raw,_time

streamstats/event stats takes you to events rather then statistics and calculates the statistics per each even

Lets say you have a
stats count as ProductCount by product_name then stream stats will set ProductCount to 1 for first event then 2 for 2nd event and so on for product_name=Ferrari and if u have a BMW as a product it will reset from 1 again for those events.

View solution in original post

ashutoshsharma1
Path Finder

I will answer my own question here finally found it.

search term | case () | streamstats fieldnames ,_raw,_time

streamstats/event stats takes you to events rather then statistics and calculates the statistics per each even

Lets say you have a
stats count as ProductCount by product_name then stream stats will set ProductCount to 1 for first event then 2 for 2nd event and so on for product_name=Ferrari and if u have a BMW as a product it will reset from 1 again for those events.

sundareshr
Legend

Try this

your current search till stats command | stats count etc values(_raw) as _raw | table count _raw
0 Karma

ashutoshsharma1
Path Finder

I downvoted this post because this query is incorrect gives error etc not found

0 Karma

ppablo
Retired

Hi @ashutosharma17

Please do not downvote people who are just trying to help you out here. This is not how voting etiquette works on Splunk Answers. Only downvote users who give you a solution that could be dangerous and possibly break something in your environment. For more background on how community culture works in this forum, visit this previous post:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

It's difficult for people to give you an accurate answer if you don't provide as much information for them to work with. If you have an existing search with sensitive information, just anonymize anything as necessary so other users can at least see the syntax of the rest of the search string to give you a more complete solution.

0 Karma

ashutoshsharma1
Path Finder

My bad @ppablo I am new here .
I just down voted because i thought it set answers to zero so someone don't think its answered already.

0 Karma

ppablo
Retired

no problem, thanks for responding. glad you found your answer and thanks for sharing it with the community.

0 Karma

ashutoshsharma1
Path Finder

This is throwing an error actually the stats command is being filtered later on the (amount) and being searched for (amount)>5000
cant optimize this search by moving the search forward as amount calculated on the case which is created in the query

0 Karma

sundareshr
Legend

Please share your query

0 Karma

ashutoshsharma1
Path Finder

Please reply sundar, still not done yet.

I tried your query without etc but it shows me the count .

I want the EVENT as output like host, sourcetype ,etc , not the chart/table.

0 Karma

ashutoshsharma1
Path Finder

cant share it as its a discrete query but the above command is also not working on a simple
query
sourcetype=vendor_sales |stats count by product_name | stats count etc values(_raw) as _raw | table count _raw

saying etc is invalid

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...