Splunk Search

stats command gives complete result in dashbaord not in alert

Motivator

Below query gives the results like :

index=* | stats values(SERVICENAME) as SERVICE by HOST

HOST  SERVICE
----- ------
h1    s1
      s12
h2    s2
      s23
h3    s3
      s56
h4    s4
h5    s4

When i use the sendemail command to send this as alert it gives :

   index=* | stats values(SERVICENAME) as SERVICE by HOST | sendemail to="xx" ...

 HOST  SERVICE
 ----- ------
 h1   s1
 h2   s2
 h3   s3
 h4   s4
 h5   s4

I am missing the complete results from my stats command. Please advise that i need to change 'sendmail.py' file to get complete results ?

0 Karma

SplunkTrust
SplunkTrust

Looks like you are having some issue with it being a multi value situation. I would either us mvexpand to make results one to one per line before emailing. Or put it in a dashboard then schedule an email report such as pdf format of that dashboard on a schedule.

0 Karma

SplunkTrust
SplunkTrust

If that behaviour only occurs with a particular sourcetype it's probably best to post some sample data along with the configuration for that sourcetype.

0 Karma

Motivator

Also, it works for me with some other sourcetype. but , the one that i am facing issue is with UDP data.

Also I am extracting SERVICE values using FIELD-EXTRACTOR

I don't think that should be a problem for Splunk. Anyway when i stat the results it shows properly all the values of the SERVICE , but when I do the | sendemail it somehow skips.
Strange behavior.

0 Karma

SplunkTrust
SplunkTrust

Even odder 😞 the stats calls are identical except for different field names, so something more sneaky must be going on.

0 Karma

Motivator

Hi,

I got the results in one row separated with space for the _internal query .

But , i still face the same issue for my search query, it takes only 1 value of the SERVICE , it skips the remaining values.

0 Karma

SplunkTrust
SplunkTrust

Odd, the only difference I see is format=html, but that's the default value.

Are you seeing the same issue with the _internal query I posted above?

0 Karma

Motivator

i am using version 6. I am using the below search query. It doesnt give all the values of SERVICENAME.

index=* | stats values(SERVICENAME) as SERVICE by HOST | sendemail to="xx@x.x" format=html subject=myresults sendresults=true smtp="smtp.xxx.com"
0 Karma

SplunkTrust
SplunkTrust

I don't seem to be able to reproduce that... if I do this:

index=_internal | stats values(source) by sourcetype | sendemail to=me@me.me server=myserver subject=mvtest sendresults=true

I get all values of the multivalue field for the sources, just not in two rows like in the Splunk result without sendmail but rather in one row separated by a space:

sourcetype   values(source)
...
splunkd      /opt/splunk/var/log/splunk/metrics.log /opt/splunk/var/log/splunk/splunkd.log
...

Are you doing anything differently? What version are you on?

0 Karma