Alerting

How to use custom defined fields in the alert subject and body of the alerts?

Path Finder

I am not able to use the custom defined fields in the alert body, subject without using them in the table command.

EX:
I am trying to send an email alert based on the number of events to different recipients.

Base query

| sort - _time 
| eventstats count as TOTAL_COUNT 
| eval recipient = case(TOTAL_COUNT > 100, "my_manager_email@domain.com", TOTAL_COUNT >= 50, "my_email@domain.com", 1==1, null()) 
| eval Time=strftime(_time, "%m/%d/%y %I:%M:%S %p") 
| table Time,host,c_ip,cs_uri_stem,s_ip,s_port,TOTAL_COUNT,sc_status,sc_substatus,time_taken,recipient

In this without mentioning the recipient I am not able to use it in the "send email to" in the alert. I am using $result.recipient$. Please let me know how to use this without mentioning the recipient in the table.

0 Karma

Path Finder

This is working only if I add the field names to the table command. I read somewhere that if I use transforming commands I can't use the tokens. So, please let me know if there is another way.

0 Karma