Alerting

How to display the scheduled job start time and current time in the alert email subject line?

marellasunil
Communicator

Hi,
I would like to display the job schedule time in the alert subject line.
For example, I have an alert which is running for the last 15 mins, I wanted to display the Job start time, and present time in subject line.

  1. I have tried adding $job.earliestTime$ in the alert subject line but I am getting empty field,
  2. when I tried "$trigger_time$" I am getting the result as 1422965960 instead of time, Can some one suggest? getting either ways should be fine.
0 Karma

woodcock
Esteemed Legend

You can add | addinfo to your search and use $result.whatever$ where whatever is the field from addinfo or another one that you generated (formatted) from those it adds.

0 Karma

helenashton
Path Finder

How do you do this but not display the info in the report?
I want to be able to do this for the email subject line for both a scheduled report and a scheduled dashboard.

0 Karma

woodcock
Esteemed Legend

You cannot.

0 Karma

splunkcvc
New Member

I'm running 6.2.5
To be clear the issue is happening with only dashboards converted to pdf format and emailed via pdf delivery option.

I think the issue with splunk's dashboard mode because there's multiple panels it doesn't know where to grab a timestamp value.

Unlike saved searches and reports the there's only 1 time stamp value being passed.

0 Karma

cramasta
Builder

what version are you running? Only the more recent versions of splunk allow you to include these tokens.
When changed the subject line to be
Splunk Report: $job.earliestTime$
I got the following in my email subject line
Splunk Report: 2015-02-04T22:30:00.000+00:00
I am running 6.1.5

0 Karma

marellasunil
Communicator

Hi Cramasta,
I am also using splunk 6.1.5
when I am running below details in search I am getting the date in subject line
Query :
sendemail to=XXXXX@splunk.com server=XXXXXXXXXXXXXXX subject="failures between $job.earliestTime$ and $job.latestTime$" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true

But when I am running the query in app (We have created seperate app for alerting), I am getting empty results. Do I need to do any modification in the app to get the exact result? I mean I have enabled "send email" option in the alert setting.

0 Karma

David
Splunk Employee
Splunk Employee

Have you tried walking through the workflow in the save alert screen, as opposed to using sendemail? I would not expect there to be a different behavior there, but given that it should work...

0 Karma

marellasunil
Communicator

Hi David,
Yes, I have. When I use "$trigger_time$" in the subject line field, It is working (Getting results as 1422965960 instead of date) but when I am using $job.earliestTime$ i am getting empty.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...