Dashboards & Visualizations
Highlighted

Multiple Results in an alert emails subject

Explorer

I'm trying to add the hostnames that result from a search to the email subject of an alert but currently I'm only able to have 1 hostname in the subject when I use $result.host$. For example if the search results in having host1 and host2, only host1 will show up in the email subject line. Is there a way to have both hosts show?

Thanks

0 Karma
Highlighted

Re: Multiple Results in an alert emails subject

Builder

Are you looking for something likerex max_match=0?

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rex

maxmatch
Syntax: max
match=
Description: Controls the number of times the regex is matched. If greater than 1, the resulting fields are multivalued fields.
Default: 1, use 0 to mean unlimited.

0 Karma
Highlighted

Re: Multiple Results in an alert emails subject

Esteemed Legend

In your search, add this SPL:

| evenstats values(host) AS _host_list
| nomv _host_list

Then use $result._host_list$ in your subject.

View solution in original post