Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to mask a URL in a Splunk alert email body

rashi83
Path Finder
‎11-18-2019 09:22 AM

I am providing a search string in an alert email body.
I want to mask this search string instead of showing the contents of it.

How can we do it?

0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 11:55 AM 
index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx 
| eval gb=round(vol/1073741824,2)
| where gb>=0.3
| eval your_desire_url="https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=".$idx$."&form.hst=*&form.ste=*&form.sc=*&form.index=*"

$result.your_desire_url$ in email body

0 Karma
Reply

rashi83
Path Finder
‎11-18-2019 12:54 PM

I am still getting the entire URL in the email .

This is still coming in email - https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=...

0 Karma
Reply

to4kawa
Ultra Champion
‎11-19-2019 03:09 AM

$result.your_desire_url$ works fine.
but $idx$ does not work.
Is there any problem with the eval result of a normal search?

0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 09:35 AM

Email notification
Hi, Uncheck Search String

0 Karma
Reply

rashi83
Path Finder
‎11-18-2019 10:24 AM

this doesn't solve the problem. Now the search string is just coming as "

0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 11:28 AM

Please provide an example of the email text.

0 Karma
Reply

rashi83
Path Finder
‎11-18-2019 11:44 AM

This is my alert search string : index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=0.3

This I want it in email body : The alert condition for '$name$' was triggered.

https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=...

Last URL I want to mask it and call it as Splunk Index or something instead of showing its contents.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...