Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to include search variable in email, but not display in result table

AruBhende
Explorer
‎01-30-2024 09:48 AM

I am working on creating an alert from Splunk.  In my search I am creating a variable using eval, but that is not used in the result table.  But I would like to use it in the email subject and body.

 

 

index=applications sourcetype=aws:cloudwatchlogs ((Job="*prod-job1*") OR (Job="*prod-job2*"))
| eval emailTime=strftime(now(),"%m/%d/%Y")
| stats latest(_time) as latest(s3Partition) as s3Partition  latest(field1) as field1  latest(field2) as field2 latest(emailTime) as   emailTime  by table_name 
| search field2 ="*" emailTime=*
| eval diff=(field2-field1)
| eval evt_time=strftime(_time, "%Y-%m-%d")  
| eval partition_date=substr(s3Partition, len("event_creation_time=")+1, len("yyyy-mm-dd"))
| where isnotnull(table_name) and isnotnull(emailTime) and ( evt_time == partition_date )
| table  table_name, field1, field2, diff
| sort raw_table_name
| rename table_name AS "Table Name" field1 AS "Field1 count" field2 AS "Field2 count"  diff as "Count Difference"

 

 

 

I tried using it like  -    $result.partition_date$  and  $result.emailTime$    -    in the subject and body, but the value is not getting substituted -  it appears  empty in both the places.

Is it possible to use this value in email without using it in the table for the alert?

Thank you

 

Labels (2)
Labels
0 Karma
Reply

AruBhende
Explorer
‎01-30-2024 12:07 PM

So, they are available in search results as the where clause is working.  So, if I don't want to display them I cannot include them in the email as well ?

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎01-31-2024 08:51 AM

Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email.

What I often do is format up special fields to use in email/slack that are easier for the user to see.

For example, I have a search that shows me missing indexers in a cluster manager.

My code snippet is

| eval cluster_manager=host
| stats count by missing_indexer,cluster_manager
| eval missing_indexer_cm=missing_indexer + " (" + cluster_manager + ")"
| eventstats values(missing_indexer_cm) as missing_indexer_cm

 

I create a new field missing_indexer_cm which combines 2 fields missing_indexer and cluster_manager

So the output is approximately this

missing_indexer   cluster_manager count   missing_indexer_cm
---------------   --------------- -----   -------------------
idx1.foo.com      cm3.foo.com      42      idx1.foo.com (cm3.foo.com)


And then in alerting I use $result.missing_indexer_cm$ but when users click on the results of the search they see the above with all the info

 




0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎01-30-2024 11:58 AM

hi. Any fields you want to have reported in the email have to be available in the search results.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...