Re: How to use custom defined fields in the alert ...

kollachandra · ‎03-12-2018

I am not able to use the custom defined fields in the alert body, subject without using them in the table command.

EX:
I am trying to send an email alert based on the number of events to different recipients.

Base query

| sort - _time 
| eventstats count as TOTAL_COUNT 
| eval recipient = case(TOTAL_COUNT > 100, "my_manager_email@domain.com", TOTAL_COUNT >= 50, "my_email@domain.com", 1==1, null()) 
| eval Time=strftime(_time, "%m/%d/%y %I:%M:%S %p") 
| table Time,host,c_ip,cs_uri_stem,s_ip,s_port,TOTAL_COUNT,sc_status,sc_substatus,time_taken,recipient

In this without mentioning the recipient I am not able to use it in the "send email to" in the alert. I am using $result.recipient$. Please let me know how to use this without mentioning the recipient in the table.

kollachandra · ‎03-12-2018

This is working only if I add the field names to the table command. I read somewhere that if I use transforming commands I can't use the tokens. So, please let me know if there is another way.

How to use custom defined fields in the alert subject and body of the alerts?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to use custom defined fields in the alert subject and body of the alerts?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?