Alerting

How to implement tokens in Email alert?

carlyleadmin
Contributor

Hi all,

I am trying to understand how to use and implement tokens in email alerts. Before asking the question I tried reading the document and apply it to my search with trial and error but no luck. Unfortunately, I find the documentation not very helpful. I am the kind of person who finds it easier to understand a concept when someone shows me with an example. It is just the way I am:) and I hope someone can explain it to me in a way they explain to someone with no knowledge. There is no shame in asking:) and I hope this will help a lot of people at my level to understand this concept. Thanks for all the help in advance

my query is really simple.

host=pa01 sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"|eval FreeSpace = round((FreeSpace/1024/1024/1024),2)| eval Size = round((Size/1024/1024/1024),2)|table host,Name,Size,FreeSpace|dedup Name|search FreeSpace<157

If my c drive is less than certain amount I will get an email alert. I can manually set the fields in edit for the alert and which would be fine, but for learning purposes, I would like to populate the subject field and message body with tokens if possible.

In documentation it says "Splunk Alert: $name$" in the subject field, so for someone who's never used tokens before I tried replacing "$name$" with "$host$" since I have that field in my search and when alert triggered, I got the email but that field was blank in subject line. So basically, I wanted to get " Splunk Alert: search results from pa01" appear in the subject line. I tried "$results.host$" that did not work documentation talks about using results, action, server and bunch of other tokens. what are they?The documentation talks about it and gives a bunch of examples but NONE OF THEM simplifies it why can't they explain it in a way that so people like myself can understand it?

For the message body I tried using the below;
"The alert condition for '$host$' was triggered.Disc space is at $results.FreeSpace$ GB" I basically used the same logic from above since I have those fields in my search result. I guess, once I understand how this all works, I can apply the same logic to other fields.

I started using Splunk almost 3 or 4 months ago, and if it wasn't for this forum I would be completely lost.

Thank you all for what you do.

0 Karma
1 Solution

emeelan_splunk
Splunk Employee
Splunk Employee

Hi,
I'm sorry you didn't find what you were looking for in the documentation. There are a couple of issues at play here:

1). $name$ works because it is a pre-defined token for alerts, while $host$ is not.

2). In order to access field values, such as the field $host$, you would use the following format: $result.fieldname$. In your case the token would look like $result.host$.

The one caveat is that the field you want to specify must be returned in the first result row of the search. So, if your search returns the field host, you should just be able to plug it in as stated above.

I hope this clarifies things for you, please let me know if it doesn't.

View solution in original post

emeelan_splunk
Splunk Employee
Splunk Employee

Hi,
I'm sorry you didn't find what you were looking for in the documentation. There are a couple of issues at play here:

1). $name$ works because it is a pre-defined token for alerts, while $host$ is not.

2). In order to access field values, such as the field $host$, you would use the following format: $result.fieldname$. In your case the token would look like $result.host$.

The one caveat is that the field you want to specify must be returned in the first result row of the search. So, if your search returns the field host, you should just be able to plug it in as stated above.

I hope this clarifies things for you, please let me know if it doesn't.

abi2023
Path Finder

Can I use same token concept in ES adaptive respond send email action. if my notable event search return the field?

0 Karma

splunkyj
Path Finder

"The one caveat is that the field you want to specify must be returned in the first result row of the search. So, if your search returns the field host, you should just be able to plug it in as stated above."

 

This helped me tons! I've been trying to resolve my issue. I have an alert, that needs to display results even when there are no results. So I added this and it worked great:

| appendpipe
[stats count as _resultcount
]

However,  I needed to display this count in the subject line of the email. When there were 0 results, it worked fine, but when there were actual results - it didn't work! I couldn't use $job.resultCount$ because I had an extra row, so it was not accurate. It was so puzzling, and ran into your answer. I added this, and now it works:

| sort _resultcount

Thank you!!!

0 Karma

nadlurinadluri
Communicator

HI emeelan,

One question, can you please let me know, what should be done to bring both the first and second rows?

0 Karma

carlyleadmin
Contributor

Thanks Emeelan.it helps.i guess i will have to bang my head against the wall many many times before i get the rest right:)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...