Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pass string/token to email alert text

jdrohen
New Member
‎02-26-2020 06:44 AM

I have a search
"%UC_CALLMANAGER-6-DeviceUnregistered" "DeviceType=90" OR "DeviceType=73"

Which correctly matches the below entry and I have an alert so send an email notification. I would like to pass a string from the syslog text (DeviceName=JK-Test) in the email message but can’t seem to get it pass. When I expand the syslog in search it says DeviceName is JK-Test. In my email message I have tried:

email text:
$Result.DeviceName$ test line 1
"$event.DeviceName$" test line 2
$DeviceName$ test line 3
$result.devicename$ test line 4

Is there a format to where I can pass that info?

search result:
Feb 25 16:17:26 myserver.local Feb 25 2020 22:17:26.527 UTC : %UC_CALLMANAGER-6-DeviceUnregistered: %[DeviceName=JK-Test][IPAddress=1.1.1.1][Protocol=RouteList][DeviceType=90][Description=Test Hunt Group][Reason=8][IPAddrAttributes=0][AppID=Cisco CallManager][ClusterID=StandAloneCluster][NodeID=myserver]: Device unregistered

0 Karma
Reply

masonmorales
Influencer
‎02-26-2020 06:03 PM

Take a look at https://answers.splunk.com/answers/342128/why-does-resultfieldname-token-not-work-in-alert-e.html

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options

Observability Unveiled: Navigating OpenTelemetry's Framework and Deployment Options A recent Tech Talk, ...

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...