Alerting

How can I transpose a table in an email alert?

rsanders30
Path Finder

So I am trying to figure out if there's a way to transpose a table in an email alert. I tried using: " | transpose"

The problem was that Splunk ended up splitting each row into an email event causing at least 15 emails to be sent for 1 event. I did try to use tokens, but I would like to keep the bold header fonts in the email, in addition to the fact that I don't want to have to create tokens for each email alert as there are at least 15 fields.

0 Karma

pinkyyu
New Member

try to use below example in your email alert content . And change the BOLD world to what you want to put

Date : $$result.time_detected$$
Machine name: $$result.src$$
Username: $$result.user$$
Path: $$result.file_path$$

0 Karma

rsanders30
Path Finder

Thank you. That is what I did for now. However, I was hoping to keep the table format. Hopefully, in the future Splunk allows more options and/or customization for emails.

0 Karma

somesoni2
Revered Legend

Can you provide more details like your alert search, alert conditions, alert type (once per search OR once per result ) etc.

0 Karma

rsanders30
Path Finder

alert search: dvc_plug_success
which is:

index=epo source=epo prod_action=Block threat_type="Device Plug" | eval et_time=strftime(_time, %m/%d/%y %H:%M:%S") | table time, event_id, hostname, ipaddress, domain, username, bus_type, dev_plug_utc, threat_vector, threat_type, product_action, dev_class_name,dev_desc,dev_name,dev_compatible_id, dev_instance_id, pci_vendor_id, pci_device_id, usb_class, usb_vendor_id, usb_product_id, usb_serial, fs_type, fs_state, fs_vol_serial, fs_vol_label

Alert settings are:
alert type: real-time

trigger alert when "Per Result"
Actions: Send Email
Message: default email alerts
To include: link to alert, link to results, Inline: Table, Attach PDF
Type: HTML&Plain Text

Let me know if you need anything else.

0 Karma

somesoni2
Revered Legend

YOu've setup a real-time alert, for which the alert type/triggering condition is per result. So if you alert search is generating 10 records, it will send out 10 alerts. I would suggest converting this to scheduled alert (runs with fixed time range and at a frequency) which allows a "once per search" triggering. See this link for more details on those two types of alerts:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/AlertTypesOverview

0 Karma

rsanders30
Path Finder

The problem isn't the records. The issue is that in the emails I want the table to be vertical and not horizontal. If I use the transpose in the search, an email is produced for each field in the table. So there would be an email for time, another for event_id, another for hostname, and so on.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...