Hello,
I'm trying to create an alert in DEV Environment to include "DEV" with subject something like
Splunk Alert: DEV - MyAlert
I can't hardcore this since we deploy the same alert to PROD through GIT and we can't make corrections to the code.
So I'm looking something (Splunk Alert: $env$- $name$) if there is way to implement this.
My splunk cloud urls
DEV : xydev.splunkcloud.com
PROD : xyprod.splunkcloud.com
1. You posted it in "Geting data in" section which deals with... well, getting data into Splunk. But you're talking about alerts. Do you want to ingest alerts into Splunk or are you talking about something else?
2. If by any chance you're talking about triggering alerts withing Splunk by means of saved search and alert actions - are you talking about custom alert action or just a standard action (which one?) just triggered on different environments?
Apologies, didn't realized it got posted in "Getting Data in".
Well, I have a data already in Splunk and trying to create a custom alert to trigger an email to DL, when the condition met. But I don't have an env field in either DEV & PROD data. When I create alert with subject DEV $name$. the admin team deploying the same code to PROD saying that they wanted to keep the same code across all env.
I'm getting the alert as "DEV myAlert" in PROD. So checking if there is a way to implement this just by including the token ??
https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/EmailNotificationTokens
Here you have what tokens you can use. I assume you want the same saved search config on both environments so result-based tokens are also a no-no. So you're limited to $server.serverName$ I think