Hi,
I was wondering if it was possible for a Splunk email alert to have a different result set shown between the inline table and the attached csv file.
Example: If I have an alert that identified 6 authentication events and the inline table has 5 columns: date/time, login ID, IP address, Server Name, Page Name, and Status - is it possible for the same alert to have an attached CSV file that only shows 3 of those columns?
Any help is appreciated. Thanks!
Unfortunately, no. However you can easily find the python script that does the emailing and you could modify this to your heart's content.
A workaround could be to create two alerts with the same search and different output (table command): one for csv and one for the inline table.
Bye.
Giuseppe