Email Alert Subject - Splunk Community

Alerting

Dear Splunkers:

Is there any way to add extra search result field value to alert email subject? like host value
Thanks in advance!!

From what I've read, it supports $name$ and the name of the saved search, and $seach$ as the search string itself.

You can configure scripted alerts as per as alert_actions.conf#Script_options, but you're constrained by these 8:

SPLUNK_ARG_0 Script name
SPLUNK_ARG_1 Number of events returned
SPLUNK_ARG_2 Search terms
SPLUNK_ARG_3 Fully qualified query string
SPLUNK_ARG_4 Name of saved search
SPLUNK_ARG_5 Trigger reason (for example, "The number of events was greater than 1")
SPLUNK_ARG_6 Browser URL to view the saved search
SPLUNK_ARG_8 File in which the results for this search are stored (contains raw results)

If you want to use hosts, then I think you're going to have to play around with custom scripted inputs.

Check this link out as well, which can point you in the right direction: http://splunk-base.splunk.com/answers/34570/how-to-add-custom-email-alert-content

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...