Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to include search variable in email, but not display in result table

AruBhende
Explorer
‎01-30-2024 09:48 AM

I am working on creating an alert from Splunk.  In my search I am creating a variable using eval, but that is not used in the result table.  But I would like to use it in the email subject and body.

 

 

index=applications sourcetype=aws:cloudwatchlogs ((Job="*prod-job1*") OR (Job="*prod-job2*"))
| eval emailTime=strftime(now(),"%m/%d/%Y")
| stats latest(_time) as latest(s3Partition) as s3Partition  latest(field1) as field1  latest(field2) as field2 latest(emailTime) as   emailTime  by table_name 
| search field2 ="*" emailTime=*
| eval diff=(field2-field1)
| eval evt_time=strftime(_time, "%Y-%m-%d")  
| eval partition_date=substr(s3Partition, len("event_creation_time=")+1, len("yyyy-mm-dd"))
| where isnotnull(table_name) and isnotnull(emailTime) and ( evt_time == partition_date )
| table  table_name, field1, field2, diff
| sort raw_table_name
| rename table_name AS "Table Name" field1 AS "Field1 count" field2 AS "Field2 count"  diff as "Count Difference"

 

 

 

I tried using it like  -    $result.partition_date$  and  $result.emailTime$    -    in the subject and body, but the value is not getting substituted -  it appears  empty in both the places.

Is it possible to use this value in email without using it in the table for the alert?

Thank you

 

Labels (2)
Labels
0 Karma
Reply

AruBhende
Explorer
‎01-30-2024 12:07 PM

So, they are available in search results as the where clause is working.  So, if I don't want to display them I cannot include them in the email as well ?

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎01-31-2024 08:51 AM

Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email.

What I often do is format up special fields to use in email/slack that are easier for the user to see.

For example, I have a search that shows me missing indexers in a cluster manager.

My code snippet is

| eval cluster_manager=host
| stats count by missing_indexer,cluster_manager
| eval missing_indexer_cm=missing_indexer + " (" + cluster_manager + ")"
| eventstats values(missing_indexer_cm) as missing_indexer_cm

 

I create a new field missing_indexer_cm which combines 2 fields missing_indexer and cluster_manager

So the output is approximately this

missing_indexer   cluster_manager count   missing_indexer_cm
---------------   --------------- -----   -------------------
idx1.foo.com      cm3.foo.com      42      idx1.foo.com (cm3.foo.com)


And then in alerting I use $result.missing_indexer_cm$ but when users click on the results of the search they see the above with all the info

 




0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎01-30-2024 11:58 AM

hi. Any fields you want to have reported in the email have to be available in the search results.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...