I am providing a search string in an alert email body.
I want to mask this search string instead of showing the contents of it.
How can we do it?
index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx
| eval gb=round(vol/1073741824,2)
| where gb>=0.3
| eval your_desire_url="https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=".$idx$."&form.hst=*&form.ste=*&form.sc=*&form.index=*"
$result.your_desire_url$
in email body
I am still getting the entire URL in the email .
This is still coming in email - https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=...
$result.your_desire_url$
works fine.
but $idx$
does not work.
Is there any problem with the eval result of a normal search?
Email notification
Hi, Uncheck Search String
Please provide an example of the email text.
This is my alert search string : index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=0.3
This I want it in email body : The alert condition for '$name$' was triggered.
Last URL I want to mask it and call it as Splunk Index or something instead of showing its contents.