Is there any ability built in to splunk to use a field from a returned search, as a dynamic field in a scheduled search? I'm trying to use a "to" field as the destination (to) field in a schedule email alert.
No need for any App - just use $result.field$ in your to-field.
$result.field$
to
6.1-specific docs: http://docs.splunk.com/Documentation/Splunk/6.1/Alert/Setupalertactions#Use_tokens_in_email_notifica...
View solution in original post
Huh, nice. I'll try that out tomorrow as well. Thanks!
The sendresults app/command should help you out here. It looks for a field named email_to but a rename can work wonders: https://splunkbase.splunk.com/app/1794/
email_to
Thanks - didn't think to look at prebuilt apps. I'll dive in and see what it's all about. Appreciate it.
Works like a charm - definitely the way to go. Thanks again.
