Re: Using Tokens in Alert Email

madhav_dholakia · ‎05-22-2024

Hello, I have an alert setup which reads a lookup file (populated by another report) and if there are any records in the lookup file, emails should be triggered (one for each record).

I understand this can be done using trigger "for each result" but I want to use some field values from each record and use it as an email subject.

Example:

in this case, I want 6 emails to be triggered with subject lines as,

Email 1: Selfheal Alert - Cust A - Tomcat Stopped - Device A1- May-24 - Device Level
Email 2: Selfheal Alert - Cust A - Tomcat Stopped - Device A2- May-24 - Device Level
Email 3: Selfheal Alert - Cust B - Failed Job - Device B1- May-24 - Device Level
Email 4: Selfheal Alert - Cust C - Tomcat Stopped - Device C1- May-24 - Device Level
Email 5: Selfheal Alert - Cust C - Failed Job- Device C2- May-24 - Device Level
Email 6: Selfheal Alert - Cust C - Failed Job - Device C3- May-24 - Device Level

How can I achieve this?

Thank you.

marysan · ‎06-05-2024

Hi, Tre this :
| inputlookup yourlookuo // Read data from the lookup file
| search NOT $empty$ trigger_email=true // Filter for records with email trigger enabled
| eval email_subject = "<field_MotherYear> - <field_Customer> - <field_Device>- <field_CheckName> - <field_SelfHealCount>-<field_Status>- <field_Timestamp>" // Construct subject using all fields
subject = $email_subject // Use the dynamically generated subject

madhav_dholakia · ‎06-07-2024

Hello @marysan - thanks for this.

I have created this email_subject field and when used within Email Body $email_subject$, it worked fine but not when used in Email Subject. Can you please suggest if I am missing something?

| eval email_subject=MonthYear." - ".Customer." - ".CheckName." - ".Device

Thank you.

marysan · ‎06-07-2024

Hi @madhav_dholakia
I'm not sure
please remove the last line of my query , I mean this :
subject = $email_subject // Use the dynamically generated subject

then in the subject box in "Edit Alert " put this :
Alert: $email_subject$
OR
$email_subject$

If it doesn't work put an image from edit alert section of your alert hear

madhav_dholakia · ‎06-09-2024

Hi @marysan - please see attached screenshots for Alert Configuration.

KendallW · ‎06-03-2024

Hi @madhav_dholakia

Here's what you should put in the alert's config to achieve what you want:

Search:

| inputlookup <file>

Subject:
Selfheal Alert - $result.Customer$ - $result.CheckName$ - $result.Device$ - $result.MonthYear$ - $result.Status$

Trigger: For each result

Throttle: [check]

Supress results contain-ing field value: Device
(This will prevent Splunk sending out duplicate alerts for the same device)

Suppress triggering for <some time period>. Set this for however often your lookup-populating report is scheduled to run

madhav_dholakia · ‎06-04-2024

thanks @KendallW - I think $result.field$ will not work in this scenario? I am already using he subject line as you mentioned but it is having a blank value (in Email I receive) for the variables.

Using Tokens in Alert Email

alert action

alert condition

email

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?