Getting Data In

What is the correct use of $ oken on alert email notification?

SplunkExplorer
Contributor

Hi Splunkers, I have to configure, as alerts trigger actions, a mail sending that should have, in body test, some field contained in triggering events.
I found here on community this post: How to implement tokens in Email alert? that explain vey clear to use $result.<field_name>$ notation but also that "the field you want to specify must be returned in the first result row of the search".

So now a question arise.

Suppose I have this sample search:

 

index=* sourcetype=cybereason:malware status=detected 
| stats count by machineName

 

It return rows with 2 fields: the machine where infection has been detected and the event count. So, I should be able to use, in my mail notification:

$result.machineName$
$result.count$

but not $result.status$, cause it is used only as a filter and is not returned as search result. Am I wrong?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

abi2023
Path Finder

Can I use same token concept in Splunk ES adaptive response action send email action if my notable event return the field?

0 Karma

SplunkExplorer
Contributor

Hi @isoutamo, thanks a lot. Yea, I know how to return value using a stats, with value(argument) command or other, my question was to confirm I have to use "more complex" search if I need more fields in notification.

Another question arise now: if I have a simple search without transforming command, like:

index=* sourcetype=cybereason:malware status=detected 

what will happend? The doubt is: due I use no transforming command, I will be able to access all fields in the logs OR the opposite, and so I will not able to add fields in notification, because I did not specified what field to return?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You are correct. However, you could add the status back to the stats command

| stats count by machineName status

Then you would have access to $result.status$ as well

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...