I have a saved search that triggers an alert in the form of an email.
I want that alert to be sent to different email id's based on a condition.
For example, I have 7 applications values in the search result and each application has an application owner.
When the threshold value is reached for SLA suppose, for a given application, only that application owner must be sent email to.
Looking for inputs.
This seems to works.
1) For use in token in email header or body, create a version of the field you want with an underscore as a prefix (e.g., | eval _fieldA = fieldA). You will use this field in the token -- e.g., $result._fieldA$.
2) Use 'fields' command instead of 'table' command. (I thought I had to use 'table' command to order the fields as I wanted in the email output. But 'fields' seems to work for that purpose as well.) Be sure to include the underscore-prefixed version of the field you want (e.g., "_fieldA") to use as token. (I just put it at the end.) Because it is prefixed with underscore, it won't show up in email table output.
@ayush1906 Awesome, thank you so much. I have been trying to overcome this scenario for the last three days. It is working perfectly and as expected.
get the email id as a column in result lets say email, and in the TO field of alert pass it as a token " $result.email$ "
The same can be achieved in search using sendemail in search.
@ayush1906 In this case, the email id values also will be present in the result email. But is there any way to send an email without a present in the result email?
The resulting email contains the below columns based on your suggestions.
Col A Col B email
But, I am trying to get the result email like below
Col A Col B
Thanks in advance.