I am sending a table in mail as an alert but I wan...

jitendragupta · ‎05-22-2018

It is a daily report I am sending as scheduled alert. Alert query displaying table in mail body bur I want to remove few fields, but if removed I ma unable to access them with $result.field_name$. Please suggest some alternative.

wryanthomas · ‎10-14-2019

What worked for me was a combination of the tips described by others here:

1) For use in token in email header or body, create a version of the field you want with an underscore as a prefix (e.g., | eval _fieldA = fieldA). You will use this field in the token -- e.g., $result._fieldA$.
2) Use 'fields' command instead of 'table' command. (I thought I had to use 'table' command to order the fields as I wanted in the email output. But 'fields' seems to work for that purpose as well.) Be sure to include the underscore-prefixed version of the field you want (e.g., "_fieldA") to use as token. (I just put it at the end.) Because it is prefixed with underscore, it won't show up in email table output.

That's it. Worked for me.

volodymyrr · ‎07-03-2024

this is literally saved my day! thanks for summary!!

xpac · ‎05-22-2018

You can try to rename those fields, so they start with an _.
Fields starting with an _ still exist, but are invisible - so you shouldn't see them, but they should be available to you.

Try | rename yourfield as _yourfield.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Utkarsh_ · ‎09-16-2021

Hi @xpac , I am sending the alert mail using "Sendresult Splunk App" and this solution is not working there.

Can you help me with some other solution?

hkngns · ‎06-15-2020

Hi @xpac ,

It works perfectly well for me

Thanks ! 😊

jitendragupta · ‎05-23-2018

After renaming as _fieldname the field in not coming in table output but still I am not able to use that field in E-mail body.
My alert is sending one table in mail which have has 10 desired fields and 3 more fields which has only one value and I dont want to show those 3 in table o/p.

I want to use those 3 in alert like this:
Percentage of Loss Assigned in Shift-A :- $result.PerAssigned_A$ %
Percentage of Loss Assigned in Shift-B :- $result.PerAssigned_B$ %
Percentage of Loss Assigned in Shift-C :- $result.PerAssigned_C$ %

So they appear in mail body like:
Percentage of Loss Assigned in Shift-A :- 60%
Percentage of Loss Assigned in Shift-B :- 75 %
Percentage of Loss Assigned in Shift-C :- 30 %

They are coming in mail properly but also coming in table o/p.

https://drive.google.com/open?id=1BTy7Af2wwYvhMs_q59UW35Eqz_TkhoYZ

wryanthomas · ‎10-14-2019

Did you solve this? I'm wanting this too.

I've been trying different things with the action.email.preprocess_results attribute in the 'advanced edit' screen for the alert, but I've not yet found a solution.

richgalloway · ‎05-22-2018

As you've discovered, the fields - command does not hide fields, it removes them. Removed fields are not available to later commands.

Please describe what you want the end result to be and we may be able to suggestion some options.

---
If this reply helps you, Karma would be appreciated.

I am sending a table in mail as an alert but I want to hide some fields of the table. But after hiding with fields - I am not able to access those fields in mail body with $result.field_name$

email

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

I am sending a table in mail as an alert but I want to hide some fields of the table. But after hiding with fields - I am not able to access those fields in mail body with $result.field_name$

email

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk