Give this a try your current search with fields problemType promblemLocation problem x | eval problem=problem."##".x | stats count by problemType promblemLocation problem | table problemType promblemLocation problem | rex field=problem "(?<problem>.+)##(?<x>.+)" | stats list(problem) as problem list(x) as x by problemType problemLocation ... View more

Hi @samsam48, By $result.fieldName$ you are referring to the message field. If you want to put the entire result in the email content, you can use the Include option - the 7th option mentioned in the following documentation http://docs.splunk.com/Documentation/Splunk/7.1.2/Alert/Emailnotification#Define_an_email_notification_for_an_alert_or_scheduled_report Also you could opt to just add the link to the results or add as a PDF/csv attachments. Hope that helps for your requirement ... View more

Hi samsam48, I usually don't insert data in the eMail body to have a more general eMail and to avoid problems with fields. I usually attach a file (csv or pdf) with the results or I enable the link to results (if the receiver is enabled to use Splunk). Bye. Giuseppe ... View more

@samsam48 - Okay, it's fully commented now. Make sense? Your alert would replace everything before the comment in line 3 that says "the above just provides test data". If you don't need the detail, then change line 36 from | eventstats max(List*) as List* max(Count*) as Count* to | stats max(List*) as List* max(Count*) as Count* and kill everything after it. You could also kill the appendpipe command itself and the square braces around the subsearch, since you wouldn't be keeping the individual events that the appendpipe is there to avoid affecting. ... View more

@samsam48, did it help you ? If yes, then I would convert it as answer and then you can accept it to close this thread. ... View more

Hi samsam48, you can use more fields in the search command with boolean operators (remember that no operator means AND). You can use more times the rex command in a search or extract more fields in the same rex and use all of them in the following search command, e.g. my_search | rex "regex extracting field1" | rex "regex extracting field2" | rex "regex extracting field3" | search field1=value1 field2=value2 field3=value3 You have two way to extract fields: using field extractor using the rex command the first one is related to a single sourcetype and permits to extract a field one time and use it in every search; the second one isn't related to a sourcetype and applicable to all the results of a search not depending on the sourcetype, but must be extracted in every search. Remember that for performaces it's better to have the search parameters as left as you can, so (if possible) it's better to extract a field out of the search and use it in the main search without declaring it in the regex. About the index, it's better to use the index parameter in every search to have more performant searches, because if you don't declare it (also more than one) Splunk runs you search in all the indexes of the default search path instead the one you want, in addition you could not find results if your index isn't in the default search path, declared for your user's role (if you're using admin you have in the default search path all the indexes), e.g. in your search index=my_index sourcetype=ServerA (word1 OR word2 OR word3) ... See at http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/GetstartedwithSearch Bye. Giuseppe P.S.. if you're satisfied by this answer acept and/or upvote it. ... View more

You're welcome! 🙂 ... View more