Using $result.fieldname$ for email notification, b...

Jennifer · ‎04-07-2022

Hi, Team

I want to use tokens for email and xMater notification. I have one field named Server.

So this is what I write for message for xMatter alerting: Data isn't refreshed in time on $result.Server$

But here's what I received: Data isnt refreshed in time on genesys-pulse-tko-04.hk.hsbc genesys-pulse-tko-04.hk.hsbc

The name of server shows twice on the message.

Another case is I use token for email notification:

here's what I write on splunk:

The alert condition for $result.Server$ was triggered.

here's what I receive when the alert is triggered:

Anyone knows the reason of these cases?

ITWhisperer · ‎04-07-2022

Do you have the link to the search results with these alerts?

In the first case, does the Server field have a multivalue for the first row of the results?

In the second case, is the Server field empty for the first row of the results?

Jennifer · ‎04-07-2022

Here's the search result of the alert:

ITWhisperer · ‎04-07-2022

Can you expand to show the extracted fields? (Click on the > in the i column)

Jennifer · ‎04-07-2022

ITWhisperer · ‎04-08-2022

Does it ever work?

In the case of there being no value, what should the value be?

Can you try $result._raw$

Jennifer · ‎04-08-2022

Thanks so much:) I've solved the problem. I've changed the search command into:

index="cc_projects"| table Server Data_Refresh
|search Data_Refresh = false

the token is still $result.Server$

Using $result.fieldname$ for email notification, but it either doesn't show anything or shows the value twice