Hello Experts, Version : Splunk Enterprise 7.0.2 We have configured alerts from scheduled search which successfully sends alerts to slack. Using "Slack Webhook Alert" with $result.fieldname$ . Currently we have a problem of formatting the appearance of message in slack. Please provide some documents or resources where the formatting in splunk can be done,so that the message looks good in slack. Thank you. ... View more

Hello Experts, Version : Splunk Enterprise 7.0.2 We have configured alerts from scheduled search which successfully sends alerts to slack. Using "Slack Webhook Alert" with $result.fieldname$ . Currently we have a problem of formatting the appearance of message in slack. Please provide some documents or resources where the formatting in splunk can be done,so that the message looks good in slack. Thank you. ... View more

This is in follow-up to https://answers.splunk.com/answers/578105/help-with-search-to-access-json-data.html#comment-577285 Please find the attached image for sample event. The query provided by is returning :- ABC.machine_cat:_attributes.ID.ABC.machine_cat <<FIELD>> _attributes.ID.ABC.machine_cat <<MATCHSTR>> ABC.machine_cat I want ABC.machine_cat : <<VALURE of the machine_cat>> Example: ABC.machine_cat : 01 ... View more

I would like to count the number of times a Server went down, based on up/down state field. State field receives up or down for each server every five minutes. index=live_index source="rest:" state=* | stats latest(state) as state by hostname | eval host_status = if(state=="up",0,1) | join hostname[search index=temp_index | stats latest(host_status) as server_down latest(down_count) as down_count by hostname] | where host_status!=server_down | eval down_count=down_count+1 | fields hostname host_status down_count I am reading the live events from live_index and comparing the host_status with the previous host_status that are stored in temp_index . When ever the state changes, i am incrementing down_count and storing latest hostname host_status down_count to temp_index . I am running this query as a scheduled search, so that the results are stored in summary index temp_index . PROBLEM THAT I HAVE AT PRESENT:- Whenever the new servers are added OR for the initial run , the fields hostname host_status down_count should be created and populated in temp_index . Currebtly i am doing this by using the follwing. But when a new server is added or for thr initial run down_count filed and hostname host_status fields needs to be created. Pls provide me a way to create these fields, so that i can use them in the first query. index=live_index source="rest:" state=* | stats latest(state) as state by hostname | eval host_status = if(state=="up",0,1) | eval down_count=host_status | fields hostname host_status down_count SAMPLE DATA:- Time| hostname|State 3:00 AM Host1 up 3:00 PM Host2 down 3:05 PM Host1 up 3:10 PM Host1 up 3:15 PM Host1 down 3:15 PM Host2 up 3:20 PM Host1 up 3:25 PM Host1 down 3:30 PM Host1 up 3:35 PM Host1 up 3:40 PM Host1 down 3:45 PM Host1 down 3:50 PM Host1 down 3:55 PM Host1 up 4:00 PM Host1 up ... View more

Q1. I would like to format table columns for the values starting with minus(-). Q2. Use Time range picker token for enddaysago in query. enddaysago=$token.earliest$ or enddaysago=$token.latest$ is not working. ... View more

I would like to count the number of times a Server went down based on up/down status field. How can i evaluate multiple(continuous) down into one down status, when i am receiving events every five minutes? Multiple(continuous) down for one host should be treated as one down . Time| Server |Status 3:00 AM Host1 up 3:00 PM Host2 down 3:05 PM Host1 up 3:10 PM Host1 up 3:15 PM Host1 down 3:15 PM Host2 up 3:20 PM Host1 up 3:25 PM Host1 down 3:30 PM Host1 up 3:35 PM Host1 up 3:40 PM Host1 down 3:45 PM Host1 down ... View more