Below query gives the results like :
index=* | stats values(SERVICENAME) as SERVICE by HOST HOST SERVICE ----- ------ h1 s1 s12 h2 s2 s23 h3 s3 s56 h4 s4 h5 s4
When i use the sendemail command to send this as alert it gives :
index=* | stats values(SERVICENAME) as SERVICE by HOST | sendemail to="xx" ... HOST SERVICE ----- ------ h1 s1 h2 s2 h3 s3 h4 s4 h5 s4
I am missing the complete results from my stats command. Please advise that i need to change 'sendmail.py' file to get complete results ?
Looks like you are having some issue with it being a multi value situation. I would either us mvexpand to make results one to one per line before emailing. Or put it in a dashboard then schedule an email report such as pdf format of that dashboard on a schedule.
Also, it works for me with some other sourcetype. but , the one that i am facing issue is with UDP data.
Also I am extracting SERVICE values using FIELD-EXTRACTOR
I don't think that should be a problem for Splunk. Anyway when i stat the results it shows properly all the values of the SERVICE , but when I do the | sendemail it somehow skips.
I got the results in one row separated with space for the _internal query .
But , i still face the same issue for my search query, it takes only 1 value of the SERVICE , it skips the remaining values.
i am using version 6. I am using the below search query. It doesnt give all the values of SERVICENAME.
index=* | stats values(SERVICENAME) as SERVICE by HOST | sendemail to="email@example.com" format=html subject=myresults sendresults=true smtp="smtp.xxx.com"
I don't seem to be able to reproduce that... if I do this:
index=_internal | stats values(source) by sourcetype | sendemail firstname.lastname@example.org server=myserver subject=mvtest sendresults=true
I get all values of the multivalue field for the sources, just not in two rows like in the Splunk result without
sendmail but rather in one row separated by a space:
sourcetype values(source) ... splunkd /opt/splunk/var/log/splunk/metrics.log /opt/splunk/var/log/splunk/splunkd.log ...
Are you doing anything differently? What version are you on?