Alerting

Using Tokens in Alert Email

madhav_dholakia
Contributor

Hello, I have an alert setup which reads a lookup file (populated by another report) and if there are any records in the lookup file, emails should be triggered (one for each record).  

I understand this can be done using trigger "for each result" but I want to use some field values from each record and use it as an email subject.

Example:
madhav_dholakia_0-1716369752864.png

in this case, I want 6 emails to be triggered with subject lines as,

Email 1: Selfheal Alert - Cust A - Tomcat Stopped - Device A1- May-24 - Device Level
Email 2: Selfheal Alert - Cust A - Tomcat Stopped - Device A2- May-24 - Device Level
Email 3: Selfheal Alert - Cust B - Failed Job - Device B1- May-24 - Device Level
Email 4: Selfheal Alert - Cust C - Tomcat Stopped - Device C1- May-24 - Device Level
Email 5: Selfheal Alert - Cust C - Failed Job- Device C2- May-24 - Device Level
Email 6: Selfheal Alert - Cust C - Failed Job - Device C3- May-24 - Device Level

How can I achieve this?

Thank you.

Labels (3)
0 Karma

marysan
Communicator

Hi, Tre this :
| inputlookup yourlookuo // Read data from the lookup file
| search NOT $empty$ trigger_email=true // Filter for records with email trigger enabled
| eval email_subject = "<field_MotherYear> - <field_Customer> - <field_Device>- <field_CheckName> - <field_SelfHealCount>-<field_Status>- <field_Timestamp>" // Construct subject using all fields
subject = $email_subject // Use the dynamically generated subject

0 Karma

madhav_dholakia
Contributor

Hello @marysan - thanks for this.

I have created this email_subject field and when used within Email Body $email_subject$, it worked fine but not when used in Email Subject. Can you please suggest if I am missing something?

| eval email_subject=MonthYear." - ".Customer." - ".CheckName." - ".Device

 

madhav_dholakia_0-1717749729927.png

Thank you.

0 Karma

marysan
Communicator

Hi @madhav_dholakia 
I'm not sure
please remove the last line of my query , I mean this :
subject = $email_subject // Use the dynamically generated subject

then in the subject box in "Edit Alert " put this :
Alert: $email_subject$
OR
$email_subject$ 

If it doesn't work put an image from edit alert section of your alert hear  

 

0 Karma

madhav_dholakia
Contributor

Hi @marysan - please see attached screenshots for Alert Configuration.

 

madhav_dholakia_0-1717999228865.png

 

 

madhav_dholakia_1-1717999080196.png

 

madhav_dholakia_2-1717999138057.png

 

0 Karma

KendallW
Communicator

Hi @madhav_dholakia 

Here's what you should put in the alert's config to achieve what you want:

Search:

| inputlookup <file> 


Subject:
Selfheal Alert - $result.Customer$ - $result.CheckName$ - $result.Device$ - $result.MonthYear$ - $result.Status$

Trigger: For each result

Throttle: [check]

Supress results contain-ing field value: Device
(This will prevent Splunk sending out duplicate alerts for the same device)

Suppress triggering for <some time period>. Set this for however often your lookup-populating report is scheduled to run

0 Karma

madhav_dholakia
Contributor

thanks @KendallW - I think $result.field$ will not work in this scenario? I am already using he subject line as you mentioned but it is having a blank value (in Email I receive) for the variables. 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...