cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
tleduc
New Member
Member since: ‎06-26-2019
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-26-2019
Activity Feed
View All

Re: Email alert to recipient within results set, m...

by in Alerting
‎05-25-2020 04:43 AM
‎05-25-2020 04:43 AM
index=_internal | stats count by sourcetype | eval emailToHeader=if(sourcetype="splunkd","user1@my.com","user2@my.com") | outputlookup MyTempLookup.csv | stats values(emailToHeader) AS emailToHeader | mvexpand emailToHeader | map search=" | inputlookup MyTempLookup.csv | where emailToHeader=\"$emailToHeader$\" | fields - emailToHeader | sendemail sendresults=true inline=true to=\"$emailToHeader$\" subject=\"Your Subject here: \" message=\"This report alert was generated by Splunk.\"" ... View more

Re: Email alert to recipient within results set, m...

by in Alerting
‎05-25-2020 04:04 AM
‎05-25-2020 04:04 AM
You can find solution in link below, I followed and it works perfectly! https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html ... View more

Re: Mapping data from small sourcetype to another ...

by in Splunk Search
‎06-26-2019 09:00 PM
‎06-26-2019 09:00 PM
Hi memarshall63, yes it works, but problem is the search takes too much time (currently it's taking me more than 1 hour!). Query above is just a simplified version, I have to do a lot of evals before the stats. ... View more

Mapping data from small sourcetype to another larg...

by in Splunk Search
‎06-26-2019 07:43 PM
‎06-26-2019 07:43 PM
Hello! I'm having this issue of merging data from one sourcetype to another larger sourcetype. Example: index=ecs_internal (sourcetype=ecs:encode parcel_id=* earliest=-30d@d latest=@d) OR (sourcetype=ecs:input barcode_id=* earliest=-60d@d latest=@d) | eval parcel_id=if(isnotnull(parcel_id), parcel_id, barcode_id) | stats latest(*) as *, sum(eval(if(sourcetype=ecs:encode, 1, 0))) as valid by parcel_id | where valid >= 1 Aim: Display all events in ecs:encode, then lookup latest related information from ecs:input. Basically, only 30% of all events in ecs:input would have data relevant to ecs:encode, thus my search is extremely slow... Join command would not work as I'm having millions of events in both sourcetypes. Many thanks in advance! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM