Splunk Alerts: How to use email address from variable?

3666142 — Thu, 02 Mar 2023 16:54:28 GMT

We have data set up like this:

{

email:JohnSmith@Company.com

Count:100

{

email:DavidHarris@Company.com

Count:50

{

email:ChuckNorris@Company.com

Count:90

}

I want to set up an alert where a specific person will be emailed if their alert is > 80, but I want to use the email field. So I want Chuck to get an email and John to get a separate email. David does not get an alert because the count did not break the threshold.

In the alert setup, can I put $email$ in the "To: " part of the send email action??

Re: Splunk Alerts: Use email address from variable

ITWhisperer — Thu, 02 Mar 2023 15:21:35 GMT

You can use fields from the first line of the results in the alert, e.g. $result.email$ assuming your search includes the email field. Then if you trigger the alert for each result (rather than just once), each result will execute the action with its corresponding row from the events.

topic Splunk Alerts: How to use email address from variable? in Alerting

Splunk Alerts: How to use email address from variable?

Re: Splunk Alerts: Use email address from variable