×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ssd
Loves-to-Learn Everything
Member since: ‎01-15-2021
‎02-15-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-15-2021
View All

How to create something like a ASCII table for sen...

by in Alerting
‎01-15-2021 01:45 AM
‎01-15-2021 01:45 AM
Hi there, i am trying to figure out a way, to output results of an alert as a table into an external application e.g. a ticketing tool which has a "notes"-textbox which allows just plain text.  At the moment, i just send the raw logs by $result._raw$, but what i want to do is something like: Query Example: index=main sourcetype=WinEventLog:Security EventID IN (4624,4625) | stats count by _time, user, EventID, host DESIRED OUTPUT for the external Application: +--------+-------+---------+----------+ | _time | user | EventID | host        | +--------+-------+---------+----------+ | time_1 | alice | 4625 | 10.0.0.5 |  | time_2 | bob |  4624  | 10.0.0.6 | | time_3 | tom |  4624  | 10.0.0.7 | +--------+-------+---------+----------+   Is this possible?  First i thought mvcombine, but don´t now if such a pattern is possible? Kind regards ssd ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-15-2021 01:36 PM