Getting Data In

What is the correct use of $ oken on alert email notification?

SplunkExplorer
Contributor

Hi Splunkers, I have to configure, as alerts trigger actions, a mail sending that should have, in body test, some field contained in triggering events.
I found here on community this post: How to implement tokens in Email alert? that explain vey clear to use $result.<field_name>$ notation but also that "the field you want to specify must be returned in the first result row of the search".

So now a question arise.

Suppose I have this sample search:

 

index=* sourcetype=cybereason:malware status=detected 
| stats count by machineName

 

It return rows with 2 fields: the machine where infection has been detected and the event count. So, I should be able to use, in my mail notification:

$result.machineName$
$result.count$

but not $result.status$, cause it is used only as a filter and is not returned as search result. Am I wrong?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

abi2023
Path Finder

Can I use same token concept in Splunk ES adaptive response action send email action if my notable event return the field?

0 Karma

SplunkExplorer
Contributor

Hi @isoutamo, thanks a lot. Yea, I know how to return value using a stats, with value(argument) command or other, my question was to confirm I have to use "more complex" search if I need more fields in notification.

Another question arise now: if I have a simple search without transforming command, like:

index=* sourcetype=cybereason:malware status=detected 

what will happend? The doubt is: due I use no transforming command, I will be able to access all fields in the logs OR the opposite, and so I will not able to add fields in notification, because I did not specified what field to return?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You are correct. However, you could add the status back to the stats command

| stats count by machineName status

Then you would have access to $result.status$ as well

Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...