Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use token to show the value returned by addcoltotals command in the subject of the email

raghul725
Explorer
‎01-31-2024 07:48 AM

Hello,

 

I am using addcoltotals command to get the total value of a column and I would like to display the value returned by addcoltotals command in the subject of the email when an alert is triggered.

 

my_search|chart count AS XXXX by YYYY| addcoltotals labelfield="Total Delivered"

 

The output is

 

Files | Files_Count | Total Delivered

F1     |     3                   |

F2     |      5                  |

F3     |      3                  |

           |      11               | Total

 

I would like 11 to be displayed in the subject line. Tried various tokens but could not get it working.

 

Regards

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎01-31-2024 08:25 AM

@raghul725 - You can use the token inside a subject of the Splunk email action. But it will take first value from the field instead of the total.

To do that use this instead in your query instead of addcoltotals:

my_search |chart count AS XXXX by YYYY |
| appendpipe [| stats sum(File_Count) by Total_Delivered]

 

Use something like this in the subject of the email

Files count is $result.Total_Delivered$

 

Reference - https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Alert/EmailNotificationTokens

 

I hope this helps!!! 

0 Karma
Reply

raghul725
Explorer
‎01-31-2024 10:37 AM

Sorry I am bit lost here, how can I run the command if I don't use addcoltotals please?

Without addcoltotals labelfield="Total Delivered" the field Total Delivered will not exists to do count by.

And if I add the command addcoltotals labelfield="Total Delivered" to your suggestion, it defeats the purpose, unless I am thick which I very well can be!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-01-2024 07:38 AM

@raghul725 - This line below can do whatever addcoltotals can do:

| appendpipe [| stats sum(File_Count) by Total_Delivered]

 

I used Total_Delivered instead of "Total Delivered", as space sometimes create issues with tokens.

 

I hope this helps!!

0 Karma
Reply

raghul725
Explorer
‎02-01-2024 10:26 AM

OK, the Total_Delivered is defined via labelfield added to addtotalcols command.

 

So if we run 

| appendpipe [| stats sum(File_Count) by Total_Delivered]

without addtotalcols labelfield, then stats by from the above will not make any difference.

 

And if I run it as 

 

|addcoltotals labelfield="Total_Delivered"|appendpipe [| stats sum(File_Count) as TFC by Total_Delivered]

 

the output is as below

 

Files | Files_Count | Total_Delivered | TFC| Total_Delivered

F1     |     3                   |                           |         |

F2     |      5                  |                           |         |

F3     |      3                  |                           |         |Total

           |      11               | Total                 | 11| Total

 

Are we expecting the above output please, altho' the view is NOT great, we can use TFC as token in subject to state the value I believe?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...