topic Re: How to create custom time-alert-email subject? in Alerting

How to create custom time-alert-email subject?

Vani_26 — Thu, 11 Aug 2022 04:10:46 GMT

I have an alert where i want the below date and time should get displayed in email subject

Here alert is getting the data from March 02,2022 8:00pm to March 03,2022 8:00pm

Like from yesterday 8:00pm to today's 8:00pm data and alert will get triggered everyday at 11pm

I want to get the date and time like shown below

March 02,2022 8:00pm to March 03,2022 8:00pm

Thanks in advance

Re: How to create custom time-alert-email subject?

diogofgm — Thu, 11 Aug 2022 11:08:28 GMT

You can use tokens on multiple alert actions fields to accomplish that.

Check this docs page:

https://docs.splunk.com/Documentation/Splunk/9.0.0/Alert/EmailNotificationTokens

Re: How to create custom time-alert-email subject?

Taruchit — Thu, 11 Aug 2022 12:36:26 GMT

Hi @Vani_26,

Is the time displayed in each email alert going to be the same?

Thank you

Re: How to create custom time-alert-email subject?

Taruchit — Thu, 11 Aug 2022 13:39:05 GMT

Hi @Vani_26,

Considering the following two assumptions: -

1. Your subject line will have date of a prior day and current day.

2. Your subject line will have fixed time: 8 pm.

You can try using the below: -

In SPL of your alert, towards the end, add the below code: -

|eval currentDay=strftime(now(),"%B %d, %Y") |eval lastDay=strftime(relative_time(now(),"-d"),"%B %d, %Y")

Then in Splunk alert settings, add the following to your subject line: -

'$result.lastDay$' 8:00 pm to '$result.currentDay$' 8:00 pm

Please try at your end and share your results.

Thank you

Re: How to create custom time-alert-email subject?

Vani_26 — Thu, 11 Aug 2022 19:42:58 GMT

@Taruchit , yes it is coming as expected, but i dont want to see this lastDay and currentDay fields in the query table.

so i tried doing |fields - lastDay currentDay

but when i am adding this in the query , it is not showing up, but in the email subject it is not showing up March08,2022. this is missing.

How can do this?

Re: How to create custom time-alert-email subject?

Taruchit — Fri, 12 Aug 2022 08:23:02 GMT

Hi @Vani_26,

Let us assume your Splunk alert has results with five fields with field names: - A, B, C, D, E.

You can add the below code in your SPL: -

|fields A, B, C, D, E

This will allow you to display the relevant fields only in your Splunk results and also use the two extra fields we added for adding the dates in Splunk alert.

Please share if the above helps to resolve the issue.

Thank you

Re: How to create custom time-alert-email subject?

Taruchit — Fri, 12 Aug 2022 08:25:57 GMT

Thus, in your existing SPL of the alert, you can the following: -

|eval currentDay=strftime(now(),"%B %d, %Y") |eval lastDay=strftime(relative_time(now(),"-d"),"%B %d, %Y") |fields <list of field names which you need in the alert>

Please share if the above helps to accomplish your solution.

Thank you

Re: How to create custom time-alert-email subject?

diogofgm — Fri, 12 Aug 2022 09:29:15 GMT

If you are using the $result.fieldname$ token that field must be in the result.

Re: How to create custom time-alert-email subject?

Taruchit — Fri, 12 Aug 2022 09:54:06 GMT

Hi @diogofgm,

I tried by using the below: -

|fields <list of required field names>

And in the above code I left out the fieldname that is used in Splunk alert.

But it still worked for me when I invoked that fieldname in subject line of the Splunk email alert.

Thank you

Re: How to create custom time-alert-email subject?

Vani_26 — Sat, 13 Aug 2022 02:09:21 GMT

My requirement is also same but if I don't add the field names in the query

The date and month is not getting displayed.

Re: How to create custom time-alert-email subject?

Vani_26 — Sat, 13 Aug 2022 02:13:02 GMT

@Taruchit

I tried doing by adding

I fields a b c d

But if I don't add the date fields it is not showing up in the email subject

Please suggest