Why does $result.fieldname$ token not work in aler...

dmytro_gokun · ‎01-13-2016

As specified here:

http://docs.splunk.com/Documentation/Splunk/6.1/Alert/Setupalertactions#Use_tokens_in_email_notifica...

it should be possible to use a field from the event that caused the alert by typing

$result.<fieldname>$

This works fine for standard fields, e.g. $result.host$. But, with customer fields, it does not seem to work. For example, the event that triggers the alert has a field named "AppName". When I specify $result.AppName$ in the e-mail subject, it is substituted with an empty string as if that field did not exist.

Any ideas why?

nick405060 · ‎01-08-2020

You stated that this happens with your custom fields.

However, I do not think it is an issue with your custom fields, as I do not have a problem doing this with my custom fields if I do not table. Yet I do have a problem doing this with my table command. I'm willing to wager you used a table or a chart. I think this is a bug.

https://answers.splunk.com/answers/793094/can-you-put-a-non-tabled-field-in-an-alert-title.html

schollaert · ‎10-16-2017

Hello,

Looks like this still does not work in 7.0.

Another workaround that worked for me to resolve an empty token $result.Value$ in the message is putting Value=* in the search.

source="Perfmon:Schijfruimte" host="rivm-sf-0107" index="perfmon" counter="Free Megabytes" instance=D: Value=*

Best regards,

Jan ,Looks like this problem still exists in 7.0

Another workaround that worked for me to solve the empty token $result.Value$ in the message is adding this to the search: Value=*

Regards,

Jan

snaikwade_splun · ‎11-14-2017

Even when I include the Value=* in the search, I am not able to get the token in Subject Line.

An interesting thing is - I am able to get the $result.Value$ in the message body but not Subject

ifeldshteyn · ‎06-19-2019

On 6.5.3 I had to add Value=* for it to show up in either Subject or Body. It seems it is acting the same way many RESTful calls do. You have to explicitly specify which fields to return otherwise they won't be there.

ppablo · ‎01-13-2016

Hi @dmytro_gokun

Does the answer in this question explain/apply to the issue you're seeing?
https://answers.splunk.com/answers/326179/i-want-to-use-result-in-my-alert-messages-but-it-d.html

dmytro_gokun · ‎01-13-2016

Hi Pablo,

well, it kind of related, but i'm not sure if it's 100% my case.
What i have as the alert's source is a simple search without any "transforming commands". So, it looks pretty strange that some fields are absent from that. I might be wrong here, but it looks like a bug in Splunk to me. What do you think? Should we report a bug?

I managed to make fields available by piping the search results into the "fields" command listing all the fields i need. It's a bit clumsy work-around, but it does the trick.

Best regards,
Dmytro.

ppablo · ‎01-19-2016

Hi @dmytro_gokun

Thanks for sharing your workaround for others to try out. If other users don't come along this post to help dig deeper into what the problem is, then it won't hurt to submit it as a bug here http://www.splunk.com/r/bugs

If you find out anything, either an explanation of the unexpected behavior or confirmation that it's a bug, please update this post as it'd be helpful for other folks to be aware of.

@davidpaper, do you think you'd be able to chime in on this post?

jgoddard · ‎09-12-2016

Is there a user tool to lookup bugs that have been submitted to splunk? This definitely feels like a bug, but I don't want to submit duplicates, there are a few bugs that I am still waiting on. 🙂

If this isn't already in their buglist, I am happy to create one.

Why does $result.fieldname$ token not work in alert emails?

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!