Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the correct use of $ oken on alert email notification?

SplunkExplorer
Contributor
‎06-27-2023 12:37 AM

Hi Splunkers, I have to configure, as alerts trigger actions, a mail sending that should have, in body test, some field contained in triggering events.
I found here on community this post: How to implement tokens in Email alert? that explain vey clear to use $result.<field_name>$ notation but also that "the field you want to specify must be returned in the first result row of the search".

So now a question arise.

Suppose I have this sample search:

 

index=* sourcetype=cybereason:malware status=detected 
| stats count by machineName

 

It return rows with 2 fields: the machine where infection has been detected and the event count. So, I should be able to use, in my mail notification:

$result.machineName$
$result.count$

but not $result.status$, cause it is used only as a filter and is not returned as search result. Am I wrong?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 01:16 AM

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 01:16 AM

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

Reply
Solved! Jump to solution

abi2023
Path Finder
‎06-27-2023 07:35 AM

Can I use same token concept in Splunk ES adaptive response action send email action if my notable event return the field?

0 Karma
Reply
Solved! Jump to solution

SplunkExplorer
Contributor
‎06-27-2023 01:30 AM

Hi @isoutamo, thanks a lot. Yea, I know how to return value using a stats, with value(argument) command or other, my question was to confirm I have to use "more complex" search if I need more fields in notification.

Another question arise now: if I have a simple search without transforming command, like:

index=* sourcetype=cybereason:malware status=detected

what will happend? The doubt is: due I use no transforming command, I will be able to access all fields in the logs OR the opposite, and so I will not able to add fields in notification, because I did not specified what field to return?

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2023 01:13 AM

You are correct. However, you could add the status back to the stats command

| stats count by machineName status

Then you would have access to $result.status$ as well

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...