Re: Alert results

onurasln55 · ‎04-04-2023

Let's say I have a query like "index=myindex honor | stats count by mydata,mydata2". I want to add the results of this query as a note in my soar system. My problem starts exactly at this point. If the result of my query is 1 row, there is no problem, but when more than one row results, I can only add the first row as a note. I am sending the data in the form of "$result.mydata$" and "$result.mydata2$" to the soar system. I want to print the whole line, not a single line. that is, as a result, I want to direct all the results in the incoming table and add them to the query.

thanks

Gr0und_Z3r0 · ‎04-05-2023

Hi @onurasln55

I'm trying to understand the problem and am assuming, you want to send the whole result table mydata,mydata2 and count as a single line to wherever you want.

If so, here is an example where i have 3 columns and sending it as one liner

index=_internal 
| fields eventtype log_level 
| stats count by eventtype log_level 
| eval a = eventtype +"," +log_level+"," +count 
| fields a 
| mvcombine a delim=";"
| nomv a

~ If the reply helps, an upvote would be appreciated.

Adding all lines of results of search as a note to SOAR system?

alert action

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?