Alerting

How to mask a URL in a Splunk alert email body

Explorer

I am providing a search string in an alert email body.
I want to mask this search string instead of showing the contents of it.

How can we do it?

0 Karma

Ultra Champion
index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx 
| eval gb=round(vol/1073741824,2)
| where gb>=0.3
| eval your_desire_url="https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=".$idx$."&form.hst=*&form.ste=*&form.sc=*&form.index=*"

$result.your_desire_url$ in email body

0 Karma

Explorer

I am still getting the entire URL in the email .

This is still coming in email - https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=...

0 Karma

Ultra Champion

$result.your_desire_url$ works fine.
but $idx$ does not work.
Is there any problem with the eval result of a normal search?

0 Karma

Ultra Champion

Email notification
Hi, Uncheck Search String

0 Karma

Explorer

this doesn't solve the problem. Now the search string is just coming as "

0 Karma

Ultra Champion

Please provide an example of the email text.

0 Karma

Explorer

This is my alert search string : index=_internal source=license_usage.log type="Usage" idx=""
|stats sum(b) as vol by idx | eval gb=round(vol/1073741824,2)
|where gb>=0.3

This I want it in email body : The alert condition for '$name$' was triggered.

https://splunk.google.com/licensedashboard?form.field1.earliest=%40d&form.field1.latest=now&form.ix=...

Last URL I want to mask it and call it as Splunk Index or something instead of showing its contents.

0 Karma