topic Re: How to select fields for email alert in Splunk Search

How to select fields for email alert

Jaci — Thu, 06 May 2010 22:13:10 GMT

Is there any way to control the reported fields in an email alert? I have configured splunk to add the search results inline, but I don't need all the fields it is showing. I only want the host and _raw fields to show up in the email. Can you point me in the direction where I can change this behavior?

Re: How to select fields for email alert

Dan — Thu, 06 May 2010 22:59:47 GMT

You can control this by appending "| fields + host,_raw" to the search string

Re: How to select fields for email alert

CerielTjuh — Fri, 07 May 2010 13:53:00 GMT

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

Re: How to select fields for email alert

Jaci — Fri, 07 May 2010 21:30:41 GMT

This is exactly what I was looking for. Thank you

Re: How to select fields for email alert

Jaci — Fri, 07 May 2010 21:31:14 GMT

Thank you for the answer, this is helpful.