The documentation at [Use tokens in email notifications] says -
-- You can access field values from the first result row that a search returns. Field availability for tokens depends on what fields are available in search results.
We wonder whether we can view the remainder of the results? (they should be contained in the
Not really. The way to do it is to move the thresholding criteria from the
alert configurations into the
SPL itself like this:
Your Search Stuff Here | eventstats count(or other aggregation) AS trigger BY host and/or other fields here | where trigger>YourThresholdHere
So that either you have events (when the trigger condition exists) or not. Then change your
alert threshold settings to be
Number of Events and
Greater than 0 and select the options to include events in your email.