Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not able to fetch extracted fields as tokens in email

Prabhakar_2
Engager
‎08-09-2017 04:04 AM

Hi,

I have extracted a field (j_scheduleid) using Interactive field extractor and I'm able to add that to the selected fields list. I created an alert and I'm able to fetch the data elements into the email using tokens like $result.host$ and $result.source$.. but the extractor field is not getting captured in the email.. like $result.j_scheduleid$

Assistance needed.

With Regards;
Rao

Reply

woodcock
Esteemed Legend
‎08-09-2017 04:15 AM

Is the alert running in the same app context as the field extraction KO exists? When you click on the alert link, is the field actually there (probably not)?

0 Karma
Reply

Prabhakar_2
Engager
‎08-09-2017 04:29 AM

You are correct. In the results link i am not able to spot the extracted field, the defaulted 3 fields are showing up. And its in the same app context where the KO (extracted fields) exists.

What could be the cause of getting the extracted field getting suppressed ?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-09-2017 04:39 AM

You need to expand the effected scope of the field extraction KO or make your alert search match it's scope. It should be that if you personally own both the alert (saved search) and the field extraction KO and they are both in the same app, they should work together fine. Many people take the short-sighted approach of making the field extraction global scope but I would not do this without thinking about it.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...