https://community.splunk.com/t5/Alerting/Get-the-search-query-time-range-in-the-Alert-message-body/m-p/524429#M9826 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Alert/EmailNotificationTokens#Job_information_tokens" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.6/Alert/EmailNotificationTokens#Job_information_tokens</A></P><P>you can use email Notification tokens in your email body.</P><P><SPAN>$job.earliestTime$</SPAN></P><P><SPAN>$job.latestTime$</SPAN></P> Tue, 13 Oct 2020 14:08:23 GMT thambisetty 2020-10-13T14:08:23Z https://community.splunk.com/t5/Alerting/Get-the-search-query-time-range-in-the-Alert-message-body/m-p/524422#M9825 <P>Hello All,&nbsp;</P><P>I have a requirement to display the search query time range in the body of the email alert, is there a way i can do that?&nbsp;</P><P>Search:</P><P>index="ABC" source=XYZ earliest=-3month latest=now| table ClientId Restricted Success Rejected Failed Total&nbsp;</P><P>&nbsp;</P><P>I want to display the time range that my search considered in the email alert.&nbsp;</P><P>Thank you</P> Tue, 13 Oct 2020 13:50:09 GMT https://community.splunk.com/t5/Alerting/Get-the-search-query-time-range-in-the-Alert-message-body/m-p/524422#M9825 dchoubey 2020-10-13T13:50:09Z https://community.splunk.com/t5/Alerting/Get-the-search-query-time-range-in-the-Alert-message-body/m-p/524429#M9826 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Alert/EmailNotificationTokens#Job_information_tokens" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.6/Alert/EmailNotificationTokens#Job_information_tokens</A></P><P>you can use email Notification tokens in your email body.</P><P><SPAN>$job.earliestTime$</SPAN></P><P><SPAN>$job.latestTime$</SPAN></P> Tue, 13 Oct 2020 14:08:23 GMT https://community.splunk.com/t5/Alerting/Get-the-search-query-time-range-in-the-Alert-message-body/m-p/524429#M9826 thambisetty 2020-10-13T14:08:23Z https://community.splunk.com/t5/Alerting/Get-the-search-query-time-range-in-the-Alert-message-body/m-p/524432#M9827 <TABLE><TBODY><TR><TD>$job.earliestTime$</TD><TD>Initial job start time</TD></TR></TBODY></TABLE><P>....the initial job start time is the alert job start time or the "earliest" time the search query time?!?!</P><P>or, you can include the whole search query as well (which includes the earliest and latest times)</P><TABLE><TBODY><TR><TD><P>$search$</P></TD><TD>Search string</TD></TR></TBODY></TABLE> Tue, 13 Oct 2020 14:26:00 GMT https://community.splunk.com/t5/Alerting/Get-the-search-query-time-range-in-the-Alert-message-body/m-p/524432#M9827 inventsekar 2020-10-13T14:26:00Z