So I am trying to figure out if there's a way to transpose a table in an email alert. I tried using: " | transpose"
The problem was that Splunk ended up splitting each row into an email event causing at least 15 emails to be sent for 1 event. I did try to use tokens, but I would like to keep the bold header fonts in the email, in addition to the fact that I don't want to have to create tokens for each email alert as there are at least 15 fields.
try to use below example in your email alert content . And change the BOLD world to what you want to put
Date : $$result.time_detected$$
Machine name: $$result.src$$
index=epo source=epo prod_action=Block threat_type="Device Plug" | eval et_time=strftime(_time, %m/%d/%y %H:%M:%S") | table time, event_id, hostname, ipaddress, domain, username, bus_type, dev_plug_utc, threat_vector, threat_type, product_action, dev_class_name,dev_desc,dev_name,dev_compatible_id, dev_instance_id, pci_vendor_id, pci_device_id, usb_class, usb_vendor_id, usb_product_id, usb_serial, fs_type, fs_state, fs_vol_serial, fs_vol_label
Alert settings are:
alert type: real-time
trigger alert when "Per Result"
Actions: Send Email
Message: default email alerts
To include: link to alert, link to results, Inline: Table, Attach PDF
Type: HTML&Plain Text
Let me know if you need anything else.
YOu've setup a real-time alert, for which the alert type/triggering condition is per result. So if you alert search is generating 10 records, it will send out 10 alerts. I would suggest converting this to scheduled alert (runs with fixed time range and at a frequency) which allows a "once per search" triggering. See this link for more details on those two types of alerts:
The problem isn't the records. The issue is that in the emails I want the table to be vertical and not horizontal. If I use the transpose in the search, an email is produced for each field in the table. So there would be an email for time, another for event_id, another for hostname, and so on.