Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract a field/or a single value from a scheduled alert table

smhsplunk
Communicator
‎10-16-2016 04:49 PM

So I am generating an alert everyday at 2am, the alert is basically a table with several fields, now I would like the user to utilize this saved alert by only using a single value from it (I need the entire table because beforehand I do not know which value the user will select)

currently it is only 

<table>
<search ref="alert_objects"></search>
</table>

is it possible to search in this like

<table>
<search ref="alert_objects"> | search * host="$host_token$" 
 table total_time</search>
</table>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2016 07:58 AM

Try like this

Replace 

<table>
 <search ref="alert_objects"></search>
 </table>

With Updated

<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
 <table>
 <search base="base_alert_objects"> <query> search * host="$host_token$" |  table total_time</query></search>
 </table>
...
</form>

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2016 07:58 AM

Try like this

Replace 

<table>
 <search ref="alert_objects"></search>
 </table>

With Updated

<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
 <table>
 <search base="base_alert_objects"> <query> search * host="$host_token$" |  table total_time</query></search>
 </table>
...
</form>
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎10-17-2016 08:40 AM

awesome it works!

0 Karma
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎10-17-2016 08:26 AM

This should work but it is giving me the entire table again, seems like its ignoring this entire part 

search * host="$host_token$" |  table total_time

I have

<row>
<panel>
<search ref="alert_objects" id="base_alert_objects" ></search>
<table>
  <search base="base_alert_objects">  search * host="$host_token$" |  table total_time</search>
  </table>
</panel>
</row>
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-17-2016 08:29 AM

I missed the query tag in there. Try the updated one.

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2016 01:25 AM

<search ref="alert_objects"></search>
is not the search query.

can you copy and paste the whole xml please..
or, the <query> part.

0 Karma
Reply
Solved! Jump to solution

smhsplunk
Communicator
‎10-17-2016 07:52 AM

The actual search query is saved as an alert (alert name "alert_objects")
I am trying to get a field value from it, this is the actual query (saved as alert)

index=main host="*"   
                  | transaction startswith="StartSession" endswith="EndSession" by source   
          | appendpipe [ | stats count | where count = 0 | eval duration=0]
                  | eval session_per_source = duration 
                  | stats sum(session_per_source) as total_time by host
                  | table host, total_time
                  | fillnull value=NULL

I need the entire table as an alert, and was wondering if I could query this alert and only show the value part
| search * host="$host_token$"
table total_time

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...