Even when I include the Value=* in the search, I am not able to get the token in Subject Line.

An interesting thing is - I am able to get the $result.Value$ in the message body but not Subject

On 6.5.3 I had to add Value=* for it to show up in either Subject or Body. It seems it is acting the same way many RESTful calls do. You have to explicitly specify which fields to return otherwise they won't be there.

Hi Pablo,

well, it kind of related, but i'm not sure if it's 100% my case.
What i have as the alert's source is a simple search without any "transforming commands". So, it looks pretty strange that some fields are absent from that. I might be wrong here, but it looks like a bug in Splunk to me. What do you think? Should we report a bug?

I managed to make fields available by piping the search results into the "fields" command listing all the fields i need. It's a bit clumsy work-around, but it does the trick.

Best regards,
Dmytro.

Hi @dmytro_gokun

Thanks for sharing your workaround for others to try out. If other users don't come along this post to help dig deeper into what the problem is, then it won't hurt to submit it as a bug here http://www.splunk.com/r/bugs

If you find out anything, either an explanation of the unexpected behavior or confirmation that it's a bug, please update this post as it'd be helpful for other folks to be aware of.

@davidpaper, do you think you'd be able to chime in on this post?

Is there a user tool to lookup bugs that have been submitted to splunk? This definitely feels like a bug, but I don't want to submit duplicates, there are a few bugs that I am still waiting on. 🙂

If this isn't already in their buglist, I am happy to create one.