Alerting

Why does $result.fieldname$ token not work in alert emails?

dmytro_gokun
Engager

As specified here:

http://docs.splunk.com/Documentation/Splunk/6.1/Alert/Setupalertactions#Use_tokens_in_email_notifica...

it should be possible to use a field from the event that caused the alert by typing

$result.<fieldname>$

This works fine for standard fields, e.g. $result.host$. But, with customer fields, it does not seem to work. For example, the event that triggers the alert has a field named "AppName". When I specify $result.AppName$ in the e-mail subject, it is substituted with an empty string as if that field did not exist.

Any ideas why?

nick405060
Motivator

You stated that this happens with your custom fields.

However, I do not think it is an issue with your custom fields, as I do not have a problem doing this with my custom fields if I do not table. Yet I do have a problem doing this with my table command. I'm willing to wager you used a table or a chart. I think this is a bug.

https://answers.splunk.com/answers/793094/can-you-put-a-non-tabled-field-in-an-alert-title.html

schollaert
Explorer

Hello,

Looks like this still does not work in 7.0.

Another workaround that worked for me to resolve an empty token $result.Value$ in the message is putting Value=* in the search.

source="Perfmon:Schijfruimte" host="rivm-sf-0107" index="perfmon" counter="Free Megabytes" instance=D: Value=*

Best regards,

Jan ,Looks like this problem still exists in 7.0

Another workaround that worked for me to solve the empty token $result.Value$ in the message is adding this to the search: Value=*

Regards,

Jan

snaikwade_splun
Splunk Employee
Splunk Employee

Even when I include the Value=* in the search, I am not able to get the token in Subject Line.

An interesting thing is - I am able to get the $result.Value$ in the message body but not Subject

0 Karma

ifeldshteyn
Path Finder

On 6.5.3 I had to add Value=* for it to show up in either Subject or Body. It seems it is acting the same way many RESTful calls do. You have to explicitly specify which fields to return otherwise they won't be there.

0 Karma

ppablo
Community Manager
Community Manager

Hi @dmytro_gokun

Does the answer in this question explain/apply to the issue you're seeing?
https://answers.splunk.com/answers/326179/i-want-to-use-result-in-my-alert-messages-but-it-d.html

0 Karma

dmytro_gokun
Engager

Hi Pablo,

well, it kind of related, but i'm not sure if it's 100% my case.
What i have as the alert's source is a simple search without any "transforming commands". So, it looks pretty strange that some fields are absent from that. I might be wrong here, but it looks like a bug in Splunk to me. What do you think? Should we report a bug?

I managed to make fields available by piping the search results into the "fields" command listing all the fields i need. It's a bit clumsy work-around, but it does the trick.

Best regards,
Dmytro.

0 Karma

ppablo
Community Manager
Community Manager

Hi @dmytro_gokun

Thanks for sharing your workaround for others to try out. If other users don't come along this post to help dig deeper into what the problem is, then it won't hurt to submit it as a bug here http://www.splunk.com/r/bugs

If you find out anything, either an explanation of the unexpected behavior or confirmation that it's a bug, please update this post as it'd be helpful for other folks to be aware of.

@davidpaper, do you think you'd be able to chime in on this post?

0 Karma

jgoddard
Path Finder

Is there a user tool to lookup bugs that have been submitted to splunk? This definitely feels like a bug, but I don't want to submit duplicates, there are a few bugs that I am still waiting on. 🙂

If this isn't already in their buglist, I am happy to create one.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.