Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the correct use of $ oken on alert email notification?

SplunkExplorer
Contributor
‎06-27-2023 12:37 AM

Hi Splunkers, I have to configure, as alerts trigger actions, a mail sending that should have, in body test, some field contained in triggering events.
I found here on community this post: How to implement tokens in Email alert? that explain vey clear to use $result.<field_name>$ notation but also that "the field you want to specify must be returned in the first result row of the search".

So now a question arise.

Suppose I have this sample search:

 

index=* sourcetype=cybereason:malware status=detected 
| stats count by machineName

 

It return rows with 2 fields: the machine where infection has been detected and the event count. So, I should be able to use, in my mail notification:

$result.machineName$
$result.count$

but not $result.status$, cause it is used only as a filter and is not returned as search result. Am I wrong?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 01:16 AM

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 01:16 AM

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

Reply
Solved! Jump to solution

abi2023
Path Finder
‎06-27-2023 07:35 AM

Can I use same token concept in Splunk ES adaptive response action send email action if my notable event return the field?

0 Karma
Reply
Solved! Jump to solution

SplunkExplorer
Contributor
‎06-27-2023 01:30 AM

Hi @isoutamo, thanks a lot. Yea, I know how to return value using a stats, with value(argument) command or other, my question was to confirm I have to use "more complex" search if I need more fields in notification.

Another question arise now: if I have a simple search without transforming command, like:

index=* sourcetype=cybereason:malware status=detected

what will happend? The doubt is: due I use no transforming command, I will be able to access all fields in the logs OR the opposite, and so I will not able to add fields in notification, because I did not specified what field to return?

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2023 01:13 AM

You are correct. However, you could add the status back to the stats command

| stats count by machineName status

Then you would have access to $result.status$ as well

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...