- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Other Usage
- :
- What variables can you use in email subject?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the docs, it says
You can enter a subject header for the email (by default it is set to be Splunk Alert: $name$, where $name$ is replaced by the saved search name)
Is there a list of other variables we can use in this and are they configurable? IE can I use part of the result in the subject.
Also can we use these variables elsewhere? ie. Search for a user that has used the SU command and email them asking for a reason why.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Except the $name$, is there any useful example in that xml?
I found some of it & listed below (not tested), is it fine to add $xxx$ in the email subject?
- $search$
- $description$
- $timerange$
- $alert.severity$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk have listened.
Version 6.1 of splunk now has TO: CC: & BCC:, Priority, Subject and a multi line Message. You also have the option of including the search string or not as well as the results. And they have listed the tokens (like $alert.severity$) that can be used.
And this can be triggered from the search string with the sendmail command.
See http://docs.splunk.com/Documentation/Splunk/6.1.2/Alert/Setupalertactions#Email_notification for details. In here are the tokens
$action.email.hostname$ Hostname of the email server.
$action.email.priority$ Priority of the search.
$app$ Name of the app containing the search.
$cron_schedule$ Cron schedule for the app.
$description$ Description of the search.
$name$ Name of the search.
$next_scheduled_time$ The next time the search runs.
$owner$ Owner of the search.
$results_link$ (Alert actions and scheduled reports only) Link to the search results.
$search$ The actual search.
$trigger_date$ (Alert actions only) The date that triggers the alert.
$trigger_time$ (Alert actions only) The scheduled time the alert runs.
$type$ Indicates if the search is from an alert, report, view, or the search command.
$view_link$ Link to view the saved report.
$alert.severity$ Severity level of the alert.
$alert.expires$ Time the alert expires.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk doc team: why can't you permalink your docs?
Current (2023/q1) docs: https://docs.splunk.com/Documentation/Splunk/9.0.4/Alert/EmailNotificationTokens
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
$trigger_time$ can only show the epoch time, $trigger_timeHMS$ can show a readable time but only in 12-H format and it's without the AM/PM indicator.
ssContent['trigger_timeHMS'] = time.strftime("%I:%M:%S", triggerSeconds)
the only way to show a proper time value is to override the sendemail.py in $SPLUNK_HOME/etc/apps/search/bin/, either by directly modifying it (not recommended) or put the updated version in another app or etc/system/
Python time format directives can be found here:
https://docs.python.org/2/library/time.html
I believe any key you can find in the ssContent array of that python script can be used in the email subject or content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Except the $name$, is there any useful example in that xml?
I found some of it & listed below (not tested), is it fine to add $xxx$ in the email subject?
- $search$
- $description$
- $timerange$
- $alert.severity$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is now possible to use fields from the results of a search, here is an example subject for an e-mail alert:
Splunk Alert: $result.host$ has failed $result.failure_count$ times in $result.time_range$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can find the list of variables available in the following file:
$SPLUNK_HOME$\etc\apps\search\default\data\ui\manager\saved_searches.xml
They are designated in the XML as element names:
element name="name" label="Search name"
$name$ comes from the the element's name property
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use $description$ but I have not found anything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has there been any developments for this since this question was asked?
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
