Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

$result.<field>$ Not Showing in Email Alert

Tiny_Trex
Engager
‎03-18-2025 03:06 PM

I have an alert saved that is straight forward. The search is:
index=mydata action=block

I have it on a cron schedule and I get results from it when manually running the searching. I can see the field asset.name is returned and it has the expected data I want in it. I configure my alert action to email me and in the body I put in $result.asset.name$. 

When the email is received, it is a blank email. For troubleshooting, I tried a different field named 'id', and put in $result.id$ and $result.asset.name$ in the body of the email alert action. The id data shows up but not the asset.name.

I changed my search to have |table asset.name at the end and I again see the data I want in a manual search. I tried adding an |eval dvc='asset.name' to my search and again I see dvc now has the data I want in it. But if I put $result.dvc$ in the email body, I again get a blank email.

Please help me to understand what I'm doing wrong. Thanks

Labels (2)
Labels
0 Karma
Reply

Tiny_Trex
Engager
‎03-19-2025 01:15 PM

From what I can tell it's just a straightforward field and single value from a json feed. Here's an event example from the search:

{ [-]
   action: Block
   asset: { [-]
     id: xxxxx-xxxx-xxxxx-xxxx-xxxxxxxx
     kind: Endpoint
     name: Vxxxxx3
   }
   dataType: Event
   guid: 0xxxxxx
   id: 7c332exxxxb24e
   kind: TrustDowngrade
   occurredAt: 2025-03-18T14:56:13.748Z
   primaryProcess: { [+]
   }
   processes: [ [+]
   ]
   summary: { [+]
   }
   tenantId: xxxx-xxxxx-xxxx-xxxx-xxxxxxxx

It's json data so the field format on the thing I want ends up being asset.name and the data does show Vxxxxx3.
I thought maybe it was a search timing thing, like the field wasn't there when the search was run in the alert (seemed unlikely, but I'm having no luck so far in figuring this out) so I did a rex on the raw data to pull the data I wanted using:

| rex field=_raw "\"name\":\"(?<hostname>[^\"]*)\""

and again, I now see a hostname field with the Vxxxxx3 data in it like I'd expect. But when I put $result.hostname$ into the message of the alert, all I get is a blank email.


0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2025 01:33 AM

What is the nature of the data and field? For example, is it multi-value? Does it contain any special characters? In situations like this, it would be really helpful if you could share some sample anonymised events (preferably in a code block </> to preserve formatting)?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
li.common.scroll-to.top