Hi all,
I am trying to understand how to use and implement tokens in email alerts. Before asking the question I tried reading the document and apply it to my search with trial and error but no luck. Unfortunately, I find the documentation not very helpful. I am the kind of person who finds it easier to understand a concept when someone shows me with an example. It is just the way I am:) and I hope someone can explain it to me in a way they explain to someone with no knowledge. There is no shame in asking:) and I hope this will help a lot of people at my level to understand this concept. Thanks for all the help in advance
my query is really simple.
host=pa01 sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"|eval FreeSpace = round((FreeSpace/1024/1024/1024),2)| eval Size = round((Size/1024/1024/1024),2)|table host,Name,Size,FreeSpace|dedup Name|search FreeSpace<157
If my c drive is less than certain amount I will get an email alert. I can manually set the fields in edit for the alert and which would be fine, but for learning purposes, I would like to populate the subject field and message body with tokens if possible.
In documentation it says "Splunk Alert: $name$" in the subject field, so for someone who's never used tokens before I tried replacing "$name$" with "$host$" since I have that field in my search and when alert triggered, I got the email but that field was blank in subject line. So basically, I wanted to get " Splunk Alert: search results from pa01" appear in the subject line. I tried "$results.host$" that did not work documentation talks about using results, action, server and bunch of other tokens. what are they?The documentation talks about it and gives a bunch of examples but NONE OF THEM simplifies it why can't they explain it in a way that so people like myself can understand it?
For the message body I tried using the below;
"The alert condition for '$host$' was triggered.Disc space is at $results.FreeSpace$ GB" I basically used the same logic from above since I have those fields in my search result. I guess, once I understand how this all works, I can apply the same logic to other fields.
I started using Splunk almost 3 or 4 months ago, and if it wasn't for this forum I would be completely lost.
Thank you all for what you do.
Hi,
I'm sorry you didn't find what you were looking for in the documentation. There are a couple of issues at play here:
1). $name$ works because it is a pre-defined token for alerts, while $host$ is not.
2). In order to access field values, such as the field $host$, you would use the following format: $result.fieldname$. In your case the token would look like $result.host$.
The one caveat is that the field you want to specify must be returned in the first result row of the search. So, if your search returns the field host, you should just be able to plug it in as stated above.
I hope this clarifies things for you, please let me know if it doesn't.
Hi,
I'm sorry you didn't find what you were looking for in the documentation. There are a couple of issues at play here:
1). $name$ works because it is a pre-defined token for alerts, while $host$ is not.
2). In order to access field values, such as the field $host$, you would use the following format: $result.fieldname$. In your case the token would look like $result.host$.
The one caveat is that the field you want to specify must be returned in the first result row of the search. So, if your search returns the field host, you should just be able to plug it in as stated above.
I hope this clarifies things for you, please let me know if it doesn't.
Can I use same token concept in ES adaptive respond send email action. if my notable event search return the field?
"The one caveat is that the field you want to specify must be returned in the first result row of the search. So, if your search returns the field host, you should just be able to plug it in as stated above."
This helped me tons! I've been trying to resolve my issue. I have an alert, that needs to display results even when there are no results. So I added this and it worked great:
| appendpipe
[stats count as _resultcount
]
However, I needed to display this count in the subject line of the email. When there were 0 results, it worked fine, but when there were actual results - it didn't work! I couldn't use $job.resultCount$ because I had an extra row, so it was not accurate. It was so puzzling, and ran into your answer. I added this, and now it works:
| sort _resultcount
Thank you!!!
HI emeelan,
One question, can you please let me know, what should be done to bring both the first and second rows?
Thanks Emeelan.it helps.i guess i will have to bang my head against the wall many many times before i get the rest right:)