Alerting

How to combine two tokens (with NO Space) in an alert email?

adamfiore
Explorer

I have an email alert that I've configured that I would like to include two tokens without a space in the body of the email.

The two fields are:

&nbsp - member_nt_domain = URT\
&nbsp - member = jsmith

So, I would like the output in the email formatted like this: URT\jsmith. The reason that I can't have the space is that the domain token includes the backslash - otherwise adding "\" in between the two tokens would produce the desired result.

I have tried the following, but none seem to work. (I've included the result that each produces in the section after the -->)

$result.member_nt_domain result.member$  -->  *blank*
$result.member_nt_domain$ $result.member$  -->  URT\ jsmith
$result.member_nt_domain$$result.member$  -->  $result.member_nt_domain$result.member$
$result.member_nt_domain$result.member$  -->  URT\result.member$

Thanks for the help.

0 Karma
1 Solution

kmaron
Motivator
| eval domainmember = member_nt_domain.member

then use the token: $result.domainmember$

View solution in original post

kmaron
Motivator
| eval domainmember = member_nt_domain.member

then use the token: $result.domainmember$

adamfiore
Explorer

Perfect, thanks!

0 Karma

kmaron
Motivator

could you do an eval in the actual search to make a new token that is exactly what you want?

s2_splunk
Splunk Employee
Splunk Employee

Haven't tried this with the tokens themselves, but you could use an eval in your alerting search to create a new field with the combined/concatenated value and us that as the token instead.

adamfiore
Explorer

Thanks for the suggestion. I'm just getting start with Splunk - any chance you could provide an example of how to do this. Here is how the search is currently written. Appreciate it.

EventCode=4732 Group_Name=Administrators Group_Domain=Builtin | fields *

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

See @kmaron's answer below. You can probably remove the "| fields *"

Get Updates on the Splunk Community!

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...