The attribute you need to set in savedsearches.conf is:
action.email.message.report = This is the message you want in the email \ body and it \ can have multiple lines by doing \ this
This will work, if
a) the attribute is specified in savedsearches.conf for the alerting search you want to modify
b) you make the manual change and restart splunk or reload the .conf files
I used the UI to specify the message and then looked at the resulting savedsearches.conf
Another way is to create a lookup of "errors messages" and "resolution tasks"
and if you extract the error field from each search, you can do a lookup the end.
Then display the result as a table with columns.
Then on the alert, the resolution will be listed in the results.
|_time | host | count | error | resolution |
Hi sanjay thanks for the reply but my question is do we have anything in splunk that we can add with alert mail example :
I received an alert for high memory usage for app pool and Splunk sent alert for it that particular app pool is high memory usage
Can I add to that mail the below:
"Recycle app pool name to solve it"