Alerting
Highlighted

Why is one of my email alert fields blank?

Path Finder

I am alerting on a failed login search provided below:-

host=CATSG14 "Failed login" GATEWAY="" USER_IDv3=""| stats count by USER_IDv3

I would like my email alert to say:

The alert condition for '$name$' was triggered.

User $result.USER_IDv3$ is having trouble accessing the $GATEWAY$ gateway.

The email picks out the USER_IDv3 field, but leaves the GATEWAY field blank. Is there anyway to grab the GATEWAY field?

0 Karma
Highlighted

Re: Why is one of my email alert fields blank?

SplunkTrust
SplunkTrust

That's because your stats does not return the GATEWAY name and therefore is not part of the results.

Try this instead:

host=CATSG14 "Failed login" GATEWAY="*" USER_IDv3="*"| stats count by USER_IDv3, GATEWAY

Keep in mind you'll need to use $result. GATEWAY$ and not $GATEWAY$ in your alert by the way

View solution in original post