One problem that I have with alerting from Splunk is that when I alert by email, total width of the table can exceed what the recipient can handle lookin at. I'd like to start transposing my result table to address this.
That is, I'd like to go from sending alerted results like this
| time | field1 | field2 | field 3 |
| 5/31/2022 | value1 | value2 | really long value 3, so long that it creates a formatting problem. Oh noes! What will I do? |
To something more like this:
Time: 5/31/2022
field1: value1
field2: values2
field3: really long value 3, so long that it creates a formatting problem. Oh noes! What will I do?
I know that I could create a field name called "alert fields" and manually create the fields, but is there a simple way to do this in Splunk
