Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the correct use of $ oken on alert email notification?

SplunkExplorer
Contributor
‎06-27-2023 12:37 AM

Hi Splunkers, I have to configure, as alerts trigger actions, a mail sending that should have, in body test, some field contained in triggering events.
I found here on community this post: How to implement tokens in Email alert? that explain vey clear to use $result.<field_name>$ notation but also that "the field you want to specify must be returned in the first result row of the search".

So now a question arise.

Suppose I have this sample search:

 

index=* sourcetype=cybereason:malware status=detected 
| stats count by machineName

 

It return rows with 2 fields: the machine where infection has been detected and the event count. So, I should be able to use, in my mail notification:

$result.machineName$
$result.count$

but not $result.status$, cause it is used only as a filter and is not returned as search result. Am I wrong?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 01:16 AM

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 01:16 AM

Hi

that's correct. But you can get also status to your search by this change

 

index=* sourcetype=cybereason:malware status=detected 
| stats count values(status) as status by machineNam

 

This just add a new fields which shows all different status values. As you have only one status this works  as you need.

r. Ismo

Reply
Solved! Jump to solution

abi2023
Path Finder
‎06-27-2023 07:35 AM

Can I use same token concept in Splunk ES adaptive response action send email action if my notable event return the field?

0 Karma
Reply
Solved! Jump to solution

SplunkExplorer
Contributor
‎06-27-2023 01:30 AM

Hi @isoutamo, thanks a lot. Yea, I know how to return value using a stats, with value(argument) command or other, my question was to confirm I have to use "more complex" search if I need more fields in notification.

Another question arise now: if I have a simple search without transforming command, like:

index=* sourcetype=cybereason:malware status=detected

what will happend? The doubt is: due I use no transforming command, I will be able to access all fields in the logs OR the opposite, and so I will not able to add fields in notification, because I did not specified what field to return?

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2023 01:13 AM

You are correct. However, you could add the status back to the stats command

| stats count by machineName status

Then you would have access to $result.status$ as well

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top