I am trying to understand how to use and implement tokens in email alerts. Before asking the question I tried reading the document and apply it to my search with trial and error but no luck. Unfortunately, I find the documentation not very helpful. I am the kind of person who finds it easier to understand a concept when someone shows me with an example. It is just the way I am:) and I hope someone can explain it to me in a way they explain to someone with no knowledge. There is no shame in asking:) and I hope this will help a lot of people at my level to understand this concept. Thanks for all the help in advance
my query is really simple.
host=pa01 sourcetype="WMI:LocalPhysicalDiskInfo" Name="C:"|eval FreeSpace = round((FreeSpace/1024/1024/1024),2)| eval Size = round((Size/1024/1024/1024),2)|table host,Name,Size,FreeSpace|dedup Name|search FreeSpace<157
If my c drive is less than certain amount I will get an email alert. I can manually set the fields in edit for the alert and which would be fine, but for learning purposes, I would like to populate the subject field and message body with tokens if possible.
In documentation it says "Splunk Alert: $name$" in the subject field, so for someone who's never used tokens before I tried replacing "$name$" with "$host$" since I have that field in my search and when alert triggered, I got the email but that field was blank in subject line. So basically, I wanted to get " Splunk Alert: search results from pa01" appear in the subject line. I tried "$results.host$" that did not work documentation talks about using results, action, server and bunch of other tokens. what are they?The documentation talks about it and gives a bunch of examples but NONE OF THEM simplifies it why can't they explain it in a way that so people like myself can understand it?
For the message body I tried using the below;
"The alert condition for '$host$' was triggered.Disc space is at $results.FreeSpace$ GB" I basically used the same logic from above since I have those fields in my search result. I guess, once I understand how this all works, I can apply the same logic to other fields.
I started using Splunk almost 3 or 4 months ago, and if it wasn't for this forum I would be completely lost.
Thank you all for what you do.
I'm sorry you didn't find what you were looking for in the documentation. There are a couple of issues at play here:
1). $name$ works because it is a pre-defined token for alerts, while $host$ is not.
2). In order to access field values, such as the field $host$, you would use the following format: $result.fieldname$. In your case the token would look like $result.host$.
The one caveat is that the field you want to specify must be returned in the first result row of the search. So, if your search returns the field host, you should just be able to plug it in as stated above.
I hope this clarifies things for you, please let me know if it doesn't.
Thanks Emeelan.it helps.i guess i will have to bang my head against the wall many many times before i get the rest right:)
One question, can you please let me know, what should be done to bring both the first and second rows?