Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two tokens (with NO Space) in an alert email?

adamfiore
Explorer
‎06-19-2018 10:25 AM

I have an email alert that I've configured that I would like to include two tokens without a space in the body of the email.

The two fields are:

&nbsp - member_nt_domain = URT\
&nbsp - member = jsmith

So, I would like the output in the email formatted like this: URT\jsmith. The reason that I can't have the space is that the domain token includes the backslash - otherwise adding "\" in between the two tokens would produce the desired result.

I have tried the following, but none seem to work. (I've included the result that each produces in the section after the -->)

$result.member_nt_domain result.member$  -->  *blank*
$result.member_nt_domain$ $result.member$  -->  URT\ jsmith
$result.member_nt_domain$$result.member$  -->  $result.member_nt_domain$result.member$
$result.member_nt_domain$result.member$  -->  URT\result.member$

Thanks for the help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎06-19-2018 11:05 AM 
| eval domainmember = member_nt_domain.member

then use the token: $result.domainmember$

View solution in original post

Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎06-19-2018 11:05 AM 
| eval domainmember = member_nt_domain.member

then use the token: $result.domainmember$

Reply
Solved! Jump to solution

adamfiore
Explorer
‎06-19-2018 11:22 AM

Perfect, thanks!

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎06-19-2018 10:46 AM

could you do an eval in the actual search to make a new token that is exactly what you want?

Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎06-19-2018 10:46 AM

Haven't tried this with the tokens themselves, but you could use an eval in your alerting search to create a new field with the combined/concatenated value and us that as the token instead.

Reply
Solved! Jump to solution

adamfiore
Explorer
‎06-19-2018 10:52 AM

Thanks for the suggestion. I'm just getting start with Splunk - any chance you could provide an example of how to do this. Here is how the search is currently written. Appreciate it.

EventCode=4732 Group_Name=Administrators Group_Domain=Builtin | fields *

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎06-19-2018 11:23 AM

See @kmaron's answer below. You can probably remove the "| fields *"

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...