I have an email alert that I've configured that I would like to include two tokens without a space in the body of the email.
The two fields are:
- memberntdomain = URT\
- member = jsmith
So, I would like the output in the email formatted like this: URT\jsmith. The reason that I can't have the space is that the domain token includes the backslash - otherwise adding "\" in between the two tokens would produce the desired result.
I have tried the following, but none seem to work. (I've included the result that each produces in the section after the -->)
$result.member_nt_domain result.member$ --> *blank* $result.member_nt_domain$ $result.member$ --> URT\ jsmith $result.member_nt_domain$$result.member$ --> $result.member_nt_domain$result.member$ $result.member_nt_domain$result.member$ --> URT\result.member$
Thanks for the help.
Haven't tried this with the tokens themselves, but you could use an eval in your alerting search to create a new field with the combined/concatenated value and us that as the token instead.
Thanks for the suggestion. I'm just getting start with Splunk - any chance you could provide an example of how to do this. Here is how the search is currently written. Appreciate it.
EventCode=4732 GroupName=Administrators GroupDomain=Builtin | fields *