Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Declare ENV Variable in Alert

Naa_Win
Path Finder
‎02-21-2024 11:57 AM

Hello,

I'm trying to create an alert in DEV Environment to include "DEV" with subject something like 

Splunk Alert:  DEV - MyAlert

I can't hardcore this since we deploy the same alert to PROD through GIT and we can't make corrections to the code. 

So I'm looking something (Splunk Alert:  $env$- $name$) if there is way to implement this. 

My splunk cloud urls
DEV : xydev.splunkcloud.com
PROD : xyprod.splunkcloud.com

Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-21-2024 12:13 PM

1. You posted it in "Geting data in" section which deals with... well, getting data into Splunk. But you're talking about alerts. Do you want to ingest alerts into Splunk or are you talking about something else?

2. If by any chance you're talking about triggering alerts withing Splunk by means of saved search and alert actions - are you talking about custom alert action or just a standard action (which one?) just triggered on different environments?

0 Karma
Reply

Naa_Win
Path Finder
‎02-21-2024 12:25 PM

Apologies, didn't realized it got posted in "Getting Data in".

Well, I have a data already in Splunk and trying to create a custom alert to trigger an email to DL, when the condition met. But I don't have an env field in either DEV & PROD data. When I create alert with subject DEV $name$. the admin team deploying the same code to PROD saying that they wanted to keep the same code across all env. 

I'm getting the alert as "DEV myAlert" in PROD. So checking if there is a way to implement this just by including the token ?? 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-21-2024 01:12 PM

https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/EmailNotificationTokens

Here you have what tokens you can use. I assume you want the same saved search config on both environments so result-based tokens are also a no-no. So you're limited to $server.serverName$ I think

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...