As specified here:
it should be possible to use a field from the event that caused the alert by typing
This works fine for standard fields, e.g. $result.host$. But, with customer fields, it does not seem to work. For example, the event that triggers the alert has a field named "AppName". When I specify
$result.AppName$ in the e-mail subject, it is substituted with an empty string as if that field did not exist.
Any ideas why?
You stated that this happens with your custom fields.
However, I do not think it is an issue with your custom fields, as I do not have a problem doing this with my custom fields if I do not
table. Yet I do have a problem doing this with my
table command. I'm willing to wager you used a table or a chart. I think this is a bug.
Looks like this still does not work in 7.0.
Another workaround that worked for me to resolve an empty token $result.Value$ in the message is putting Value=* in the search.
source="Perfmon:Schijfruimte" host="rivm-sf-0107" index="perfmon" counter="Free Megabytes" instance=D: Value=*
Jan ,Looks like this problem still exists in 7.0
Another workaround that worked for me to solve the empty token $result.Value$ in the message is adding this to the search: Value=*
Even when I include the Value=* in the search, I am not able to get the token in Subject Line.
An interesting thing is - I am able to get the $result.Value$ in the message body but not Subject
On 6.5.3 I had to add Value=* for it to show up in either Subject or Body. It seems it is acting the same way many RESTful calls do. You have to explicitly specify which fields to return otherwise they won't be there.
well, it kind of related, but i'm not sure if it's 100% my case.
What i have as the alert's source is a simple search without any "transforming commands". So, it looks pretty strange that some fields are absent from that. I might be wrong here, but it looks like a bug in Splunk to me. What do you think? Should we report a bug?
I managed to make fields available by piping the search results into the "fields" command listing all the fields i need. It's a bit clumsy work-around, but it does the trick.
Thanks for sharing your workaround for others to try out. If other users don't come along this post to help dig deeper into what the problem is, then it won't hurt to submit it as a bug here http://www.splunk.com/r/bugs
If you find out anything, either an explanation of the unexpected behavior or confirmation that it's a bug, please update this post as it'd be helpful for other folks to be aware of.
@davidpaper, do you think you'd be able to chime in on this post?
Is there a user tool to lookup bugs that have been submitted to splunk? This definitely feels like a bug, but I don't want to submit duplicates, there are a few bugs that I am still waiting on. 🙂
If this isn't already in their buglist, I am happy to create one.