Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

can't get alert results to show in alert e-mail messages

stillerz
Engager
‎10-25-2014 07:37 AM

Hi,

I'm on v6.1.4 and have real-time alerts configured and they are triggering and sending e-mails fine, but the e-mail message content doesn't include the results from the search/alert.

I'm trying to get some of the field names that I have defined to show up in the alert e-mail body but all I get are blanks. I've also tried just having the entire result included in the e-mail message and that shows as a blank also.

I am using the tokens $result.fieldname$ in the message. In my example, it is $result.username$ where username is a field that I have defined.

Thank you!

Tags (1)
Reply

rapmancz
Explorer
‎03-06-2016 01:17 PM

Hello, I had same issue, it did't work for me also. I solved it with explicit field definiton, in your case YOURSEARCH | fileds username, vpnuser, Reason ....

Then the tokens $result.username$, $result.vpnuser$, $result.Reason$ started to work in e-mail definition...

Reply

yemyslf
Path Finder
‎05-17-2017 05:24 AM

This worked for me...thanks!

0 Karma
Reply

nadlurinadluri
Communicator
‎08-10-2018 01:02 PM

what if we have two rows, and we need to print the second row also?

Then the tokens $result.username$, $result.vpnuser$, $result.Reason$ started to work in e-mail definition...

this will give me the first value of that field (first row), but In my case, I need 2 rows.. any idea how to solve this?

0 Karma
Reply

emasplunk
New Member
‎10-31-2014 06:24 AM

Same here for me. I want to include some of the fields from the search result in the email-body (in the best case: in the To: address as well)...

Despite the documentation stating(http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions)
I should be able to insert tokens in the mail body, all I get is empty text blocks...

I have some (custom extracted fields) "Reason" and "vpnuser" in the search result I want to show in the email. Following the documentation using the $result.fieldname$ syntax, this would look something like this:

///
Connection to ... was rejected for
userA $vpnuser$
userB $result.vpnuser$
ReasonA: $Reason$
ReasonB: $result.Reason$
in lower case: $result.reason$
///

this produces a triggered email containing:

/// Connection to ... was rejected for
userA
userB
ReasonA:
ReasonB:
in lower case:
///

Any idea how to get the fields filled in?

0 Karma
Reply

bkondakindi
Path Finder
‎10-27-2014 01:08 PM

You mean when u get the alerts when u click that link it is not redirecting to right URL or is some other issues.

more alert_actions.conf
[email]
reportPaperSize = ledger
mailserver = smtp.glb.tiaa-cref.org

[default]
hostname = complete FQDN name
maxresults = 10000
maxtime = 5m
track_alert = 0
ttl = 10p

0 Karma
Reply

stillerz
Engager
‎10-27-2014 01:22 PM

I'm not using the results URL, but instead I'm embedding fields (variables) from the results into the e-mail message body but I'm only getting blanks. I also get a blank when I try to embed all results using the token $result$, which I would expect to be text, not a URL.

Are you recommending that I check my mailserver name? If so, I'm just using a gmail account to send the alert messages.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...