Splunk Search
Highlighted

How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Path Finder

How to convert the output of a search with stats command that's generating a table as output to events?

Thus send Events as email alerts, not a chart/table

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Legend

Try this

your current search till stats command | stats count etc values(_raw) as _raw | table count _raw
0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Path Finder

This is throwing an error actually the stats command is being filtered later on the (amount) and being searched for (amount)>5000
cant optimize this search by moving the search forward as amount calculated on the case which is created in the query

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Legend

Please share your query

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Path Finder

cant share it as its a discrete query but the above command is also not working on a simple
query
sourcetype=vendorsales |stats count by productname | stats count etc values(_raw) as _raw | table count _raw

saying etc is invalid

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Path Finder

Please reply sundar, still not done yet.

I tried your query without etc but it shows me the count .

I want the EVENT as output like host, sourcetype ,etc , not the chart/table.

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Path Finder

I downvoted this post because this query is incorrect gives error etc not found

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Community Manager
Community Manager

Hi @ashutosharma17

Please do not downvote people who are just trying to help you out here. This is not how voting etiquette works on Splunk Answers. Only downvote users who give you a solution that could be dangerous and possibly break something in your environment. For more background on how community culture works in this forum, visit this previous post:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

It's difficult for people to give you an accurate answer if you don't provide as much information for them to work with. If you have an existing search with sensitive information, just anonymize anything as necessary so other users can at least see the syntax of the rest of the search string to give you a more complete solution.

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Path Finder

My bad @ppablo I am new here .
I just down voted because i thought it set answers to zero so someone don't think its answered already.

0 Karma
Highlighted

Re: How to save the output of a stats search to send raw events in alert emails, not a chart or table?

Community Manager
Community Manager

no problem, thanks for responding. glad you found your answer and thanks for sharing it with the community.

0 Karma