Hey snoobzilla , Does this got resolved, even I have same issue

So now I seem to be able to modify email subjects. Further investigation it seems like you cannot include search fields specific to results in Subject, e.g.

This string: Subject Test: Search: $name$ Results: $results.count$ Date: $result.Date$ Client: $result.Client$

In Subject: Subject Test: Search: This is Search Name Results: 1 Date: Client:

In Body: Subject Test: Search: This is Search Name Results: 1 Date: 2016/04/05 Client: 12345678

It doesn't seem to matter what other email parameters are. Per result, per search, inline table, etc, from splunkweb does not want to put $result.fieldname$ in subject.

@woodcock thanks for your feedback. Will probably go that direction.

SPLUNK: It would be extremely helpful to be able to do per result emails with field values in subject... this would allow same email to indicate actionable or not, etc. Please consider putting this capability in Splunkweb.

OK, so if we agree that this is as close as you can get, you should probably click Accept to close the question.

I already have another alert that sends emails to different email addresses for each result using splunkweb interface and a results token. I would have liked to have custom email subject in that one too.

So thank you for the feedback, but issue I am trying to solve for is specific to email subject.

Nothing I do in splunkweb email action changes the email title from Splunk Alert: $searchname$ whether tokens are present or not.

My solution allows you to specify specific subjects using tokens.

Thanks. That may be direction I end up going in.

I was hoping to use splunkweb directly as I am not the only one facing this issue.

Right now we are having problems where scheduled jobs occasionally stop firing altogether since Search Head Clustering update, so this is on back burner at the moment.

No, this is an example of one where I am sending separate email for every result.