Getting Data In
Highlighted

Splunk Alerts: Is it possible to have different results shown in the inline table and the attached CSV?

Explorer

Hi,

I was wondering if it was possible for a Splunk email alert to have a different result set shown between the inline table and the attached csv file.

Example: If I have an alert that identified 6 authentication events and the inline table has 5 columns: date/time, login ID, IP address, Server Name, Page Name, and Status - is it possible for the same alert to have an attached CSV file that only shows 3 of those columns?

Any help is appreciated. Thanks!

0 Karma
Highlighted

Re: Splunk Alerts: Is it possible to have different results shown in the inline table and the attached CSV?

Esteemed Legend

Unfortunately, no. However you can easily find the python script that does the emailing and you could modify this to your heart's content.

0 Karma
Highlighted

Re: Splunk Alerts: Is it possible to have different results shown in the inline table and the attached CSV?

Legend

A workaround could be to create two alerts with the same search and different output (table command): one for csv and one for the inline table.
Bye.
Giuseppe

0 Karma