Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

$result.<field>$ Not Showing in Email Alert

Tiny_Trex
Engager
‎03-18-2025 03:06 PM

I have an alert saved that is straight forward. The search is:
index=mydata action=block

I have it on a cron schedule and I get results from it when manually running the searching. I can see the field asset.name is returned and it has the expected data I want in it. I configure my alert action to email me and in the body I put in $result.asset.name$. 

When the email is received, it is a blank email. For troubleshooting, I tried a different field named 'id', and put in $result.id$ and $result.asset.name$ in the body of the email alert action. The id data shows up but not the asset.name.

I changed my search to have |table asset.name at the end and I again see the data I want in a manual search. I tried adding an |eval dvc='asset.name' to my search and again I see dvc now has the data I want in it. But if I put $result.dvc$ in the email body, I again get a blank email.

Please help me to understand what I'm doing wrong. Thanks

Labels (2)
Labels
0 Karma
Reply

Tiny_Trex
Engager
‎03-19-2025 01:15 PM

From what I can tell it's just a straightforward field and single value from a json feed. Here's an event example from the search:

{ [-]
   action: Block
   asset: { [-]
     id: xxxxx-xxxx-xxxxx-xxxx-xxxxxxxx
     kind: Endpoint
     name: Vxxxxx3
   }
   dataType: Event
   guid: 0xxxxxx
   id: 7c332exxxxb24e
   kind: TrustDowngrade
   occurredAt: 2025-03-18T14:56:13.748Z
   primaryProcess: { [+]
   }
   processes: [ [+]
   ]
   summary: { [+]
   }
   tenantId: xxxx-xxxxx-xxxx-xxxx-xxxxxxxx

It's json data so the field format on the thing I want ends up being asset.name and the data does show Vxxxxx3.
I thought maybe it was a search timing thing, like the field wasn't there when the search was run in the alert (seemed unlikely, but I'm having no luck so far in figuring this out) so I did a rex on the raw data to pull the data I wanted using:

| rex field=_raw "\"name\":\"(?<hostname>[^\"]*)\""

and again, I now see a hostname field with the Vxxxxx3 data in it like I'd expect. But when I put $result.hostname$ into the message of the alert, all I get is a blank email.


0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2025 01:33 AM

What is the nature of the data and field? For example, is it multi-value? Does it contain any special characters? In situations like this, it would be really helpful if you could share some sample anonymised events (preferably in a code block </> to preserve formatting)?

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top