Splunk Search

Why is my alert report only showing the first result of every row?

sphiwee
Contributor

I have this table and I'm trying to send it as a report/alert every morning to our teams chat group

sphiwee_0-1646242888847.png

 

This is how it's getting sent out, its only showing the first result of every row

sphiwee_1-1646243058500.png

heres the Query 

| webping http://CTXSDC1CVDI041.za.sbicdirectory.com:4444/grid/console | append [ webping http://CTXSDC1CVDI042.za.sbicdirectory.com:4444/grid/console ] | append [ webping http://CTXSDC1CVDI043.za.sbicdirectory.com:4444/grid/console ] | append [ webping http://CTXSDC1CVDI044.za.sbicdirectory.com:4444/grid/console ] | append [ webping http://CTXSDC1CVDI045.za.sbicdirectory.com:4444/grid/console ] | append [ webping http://CTXSDC1CVDI046.za.sbicdirectory.com:4444/grid/console ] | append [ webping http://CTXSDC1CVDI047.za.sbicdirectory.com:4444/grid/console ] | append [ webping http://CTXSDC1CVDI048.za.sbicdirectory.com:4444/grid/console ]| append [ webping http://ctxsdc1cvdi013.za.sbicdirectory.com:4444/grid/console ] | append [ webping http://CTXSDC1CVDI049.za.sbicdirectory.com:4444/grid/console ]| append [
webping http://CTXSDC1CVDI050.za.sbicdirectory.com:4444/grid/console ] | eval timed_out = case(timed_out=="False", "Machine On", timed_out=="True", "Machine Off")

| eval response_code=if(response_code==200, "Hub and Node Up", "Hub and Node Down")
| rex field=url "http:\/\/(?<host_name>[^:\/]+)"
| table host_name response_code timed_out total_time

 

Labels (3)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...