Hi
I am trying to set up an alert with the following query for the tickets that is not assigned to someone after 10 mins. I wanted the ticket number to get populated in the mail but I am not getting the same rather the mail is without the ticket number.
index="servicenow" sourcetype=":incident" |where assigned_to = "" | eval age = now() - _time
|where age>600
|table ticket_number, age, assignment_group, team
| lookup team_details.csv team as team OUTPUTNEW alert_email, enable_alert
| where enable_alert = Y
| sendemail to="$alert_email$" subject="Incident no. "$ticket_number$" is not assigned for more than 10 mins - Please take immediate action" message="
Hi Team,
This is to notify you that the ticket: "$ticket_number$" is not assigned for more than 10 mins. Please take necessary action on priority"
You need to use your result tokens, not just some name out of the blue.
https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens