Dashboards & Visualizations

Email Alert - Result tokens

Path Finder

Can I use a field as token without show it on the search?

For example:
index=idxabc sourcetype=srca TOTAL > 10 | table Col1 Col2 Col3

I want to use $result.TOTAL$. In other words, I want refer to a column without show it on the search results.

0 Karma

Super Champion

Try this (put TOTAL in the table but use under options):

  <row>
    <panel>
      <table>
        <title>TITLE</title>
        <search>
          <query>index=idx_abc sourcetype=src_a TOTAL > 10 | table Col1 Col2 Col3 TOTAL </query>
        <set token="total">$result.TOTAL$</set>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <fields>["Col1","Col2","Col3"]</fields>
      </table>
    </panel>
  </row>
0 Karma

Path Finder

Hi @cmerriman, thank you.

It unfortunately does not work, because if try to use the the $result.TOTAL$ this value comes empty on the email.

0 Karma

Super Champion

you might need to do:

<done>
<set token="total">$result.TOTAL$</set>
</done>

or

<preview>
<set token="total">$result.TOTAL$</set>
</preview>

something to help troubleshoot tokens is to use showtokens.js to see if the token is being created/evaluated correctly.

0 Karma

Path Finder

@cmerriman, thank you again.

I got your point, but by default I can't use simpleXML on email alert notification, can I?
(http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/EmailNotificationTokens)

0 Karma

Super Champion

Sorry, I was thinking through dashboards and not alerts. I think the field has to be available for you to use it in your alert.

0 Karma