I have the following log taken from the search: index = mainframe JOBNAME=CIBI0104 MSGTXT = "*ABEND=S000*"
ACTION: IMMEDIATE_ACTION
DATETIME: 2017-08-01 22:08:17.36 -0700
JOBID: JOB14964
JOBNAME: CIBI0104
MSGNUM: IEF450I
MSGTXT: ABEND=S000 U1792 REASON=00001FAF TIME=22.08.17
For the sake of providing an example, I want the email to display something like this:
The action is: (insert ACTION here)
Please take action as soon as possible.
The jobname is: (insert JOBNAME here)
to look like
The action is: IMMEDIATE_ACTION
Please take action as soon as possible.
The jobname is: CIBI0104
I know I can filter my search to display to show only ACTION and JOBNAME but what i'm trying to do is extract those two fields and place them within regular text in the email. Do I need to do a unique search/regex for each field I want to extract from the specific log?
The goal is to eventually be able to send the email in a specific format to an inbox that acts as an auto-ticket generator. I'll need to populate specific areas of the email with specific fields of the log.
Assuming that the fields are extracted, you can reference them using the $result.ACTION$
and $result.JOBNAME$
tokens:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Tokens_available_for_emai...
Assuming that the fields are extracted, you can reference them using the $result.ACTION$
and $result.JOBNAME$
tokens:
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Tokens_available_for_emai...
I misunderstood how to apply tokens. Thank you