Alerting

I want to use "$result." in my alert messages, but it doesn't work.

Contributor

I want to run a search and include $result.sourcetype$ in my alert email, but it doesn't work.

http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Emailnotification says it should.

Help!

1 Solution

Contributor

If you want to use "$result." in your alert messages (either in the subject or the body), then there are a set of commands called transforming commands that you can’t use. They are listed here:

http://docs.splunk.com/Splexicon:Transformingcommand

So, a very simple search that would allow you to include “$result.source$” in your Subject or email body would be something like:

index=foo | head 1

But if you tried to do:

index=foo | stats count

none of the $result.*$ values are available.

A request to update docs has been submitted.

View solution in original post

New Member

I had the problem that when I was using tokens from the search, no email would be sent.
Then I discovered a typo in a different field.
Once I resolved the - seemingly unrelated - problem it started working again.

0 Karma

Contributor

If you want to use "$result." in your alert messages (either in the subject or the body), then there are a set of commands called transforming commands that you can’t use. They are listed here:

http://docs.splunk.com/Splexicon:Transformingcommand

So, a very simple search that would allow you to include “$result.source$” in your Subject or email body would be something like:

index=foo | head 1

But if you tried to do:

index=foo | stats count

none of the $result.*$ values are available.

A request to update docs has been submitted.

View solution in original post