How do you properly format Splunk email alerts?

samsam48 · ‎09-06-2018

I'm new to Splunk, and I'm having a hard time understanding how to properly format Splunk Email Alerts. I understand that we're able to pull information from the search results to include in the email body (like a field name with: $result.fieldName$ ). However, this is limited to the first value of the first row of results.

What if we had 100 events from the query, and we wanted to display the values of field_A that correspond to N number of events that have another field field_B = some_field_value.

The documentation doesn't seem to discuss anything more complex than pulling out single values, and it's making it difficult to build an email alert that provides charts of diagnostic information.

Any help or useful resources to look at would be appreciated. Thanks.

renjith_nair · ‎09-06-2018

Hi @samsam48,

By $result.fieldName$ you are referring to the message field. If you want to put the entire result in the email content, you can use the Include option - the 7th option mentioned in the following documentation

http://docs.splunk.com/Documentation/Splunk/7.1.2/Alert/Emailnotification#Define_an_email_notificati...

Also you could opt to just add the link to the results or add as a PDF/csv attachments.

Hope that helps for your requirement

Happy Splunking!

How do you properly format Splunk email alerts?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash