Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using Tokens in Alert Email

madhav_dholakia
Contributor
‎05-22-2024 02:27 AM

Hello, I have an alert setup which reads a lookup file (populated by another report) and if there are any records in the lookup file, emails should be triggered (one for each record).  

I understand this can be done using trigger "for each result" but I want to use some field values from each record and use it as an email subject.

Example:
madhav_dholakia_0-1716369752864.png

in this case, I want 6 emails to be triggered with subject lines as,

Email 1: Selfheal Alert - Cust A - Tomcat Stopped - Device A1- May-24 - Device Level
Email 2: Selfheal Alert - Cust A - Tomcat Stopped - Device A2- May-24 - Device Level
Email 3: Selfheal Alert - Cust B - Failed Job - Device B1- May-24 - Device Level
Email 4: Selfheal Alert - Cust C - Tomcat Stopped - Device C1- May-24 - Device Level
Email 5: Selfheal Alert - Cust C - Failed Job- Device C2- May-24 - Device Level
Email 6: Selfheal Alert - Cust C - Failed Job - Device C3- May-24 - Device Level

How can I achieve this?

Thank you.

Labels (3)
0 Karma
Reply

marysan
Communicator
‎06-05-2024 11:28 PM

Hi, Tre this :
| inputlookup yourlookuo // Read data from the lookup file
| search NOT $empty$ trigger_email=true // Filter for records with email trigger enabled
| eval email_subject = "<field_MotherYear> - <field_Customer> - <field_Device>- <field_CheckName> - <field_SelfHealCount>-<field_Status>- <field_Timestamp>" // Construct subject using all fields
subject = $email_subject // Use the dynamically generated subject

0 Karma
Reply

madhav_dholakia
Contributor
‎06-07-2024 01:42 AM

Hello @marysan - thanks for this.

I have created this email_subject field and when used within Email Body $email_subject$, it worked fine but not when used in Email Subject. Can you please suggest if I am missing something?

| eval email_subject=MonthYear." - ".Customer." - ".CheckName." - ".Device

 

madhav_dholakia_0-1717749729927.png

Thank you.

0 Karma
Reply

marysan
Communicator
‎06-07-2024 02:54 AM

Hi @madhav_dholakia 
I'm not sure
please remove the last line of my query , I mean this :
subject = $email_subject // Use the dynamically generated subject

then in the subject box in "Edit Alert " put this :
Alert: $email_subject$
OR
$email_subject$ 

If it doesn't work put an image from edit alert section of your alert hear  

 

0 Karma
Reply

madhav_dholakia
Contributor
‎06-09-2024 10:59 PM

Hi @marysan - please see attached screenshots for Alert Configuration.

 

madhav_dholakia_0-1717999228865.png

 

 

madhav_dholakia_1-1717999080196.png

 

madhav_dholakia_2-1717999138057.png

 

0 Karma
Reply

KendallW
Contributor
‎06-03-2024 07:26 PM

Hi @madhav_dholakia 

Here's what you should put in the alert's config to achieve what you want:

Search:

| inputlookup <file>


Subject:
Selfheal Alert - $result.Customer$ - $result.CheckName$ - $result.Device$ - $result.MonthYear$ - $result.Status$

Trigger: For each result

Throttle: [check]

Supress results contain-ing field value: Device
(This will prevent Splunk sending out duplicate alerts for the same device)

Suppress triggering for <some time period>. Set this for however often your lookup-populating report is scheduled to run

0 Karma
Reply

madhav_dholakia
Contributor
‎06-04-2024 12:54 AM

thanks @KendallW - I think $result.field$ will not work in this scenario? I am already using he subject line as you mentioned but it is having a blank value (in Email I receive) for the variables. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...