Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not able to fetch extracted fields as tokens in email

Prabhakar_2
Engager
‎08-09-2017 04:04 AM

Hi,

I have extracted a field (j_scheduleid) using Interactive field extractor and I'm able to add that to the selected fields list. I created an alert and I'm able to fetch the data elements into the email using tokens like $result.host$ and $result.source$.. but the extractor field is not getting captured in the email.. like $result.j_scheduleid$

Assistance needed.

With Regards;
Rao

Reply

woodcock
Esteemed Legend
‎08-09-2017 04:15 AM

Is the alert running in the same app context as the field extraction KO exists? When you click on the alert link, is the field actually there (probably not)?

0 Karma
Reply

Prabhakar_2
Engager
‎08-09-2017 04:29 AM

You are correct. In the results link i am not able to spot the extracted field, the defaulted 3 fields are showing up. And its in the same app context where the KO (extracted fields) exists.

What could be the cause of getting the extracted field getting suppressed ?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-09-2017 04:39 AM

You need to expand the effected scope of the field extraction KO or make your alert search match it's scope. It should be that if you personally own both the alert (saved search) and the field extraction KO and they are both in the same app, they should work together fine. Many people take the short-sighted approach of making the field extraction global scope but I would not do this without thinking about it.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...