Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using $result.fieldname$ in email text/body (splunk email alert)

nadlurinadluri
Communicator
‎08-12-2018 12:05 PM

I am trying to use results of an alert and send it as a slack message. The output of the alert has two rows and two columns. How to send all the output in the body? Using $result.fieldname$ gives only the first row of that field. How can we get the second row too, of that field and show that in the body?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎08-12-2018 04:46 PM

So let's say you were searching for 

  index="foo" "some error condition"

You could create a new field by combining two fields together

 index="foo" "some error condition" 
   | eval newfield=field1 + " " + field2
   | stats values(newfield) as newfieldValues

And then use $result.newfieldValues$ in slack.

Sometimes I combine the fields with an =

For example

   index="foo" "some error condition"
   | eval hostsAndValue=host + "=" + somefield
   | stats values(hostsAndValue) as badHosts

Then I use $result.badHosts$ in slack.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎08-12-2018 04:46 PM

So let's say you were searching for 

  index="foo" "some error condition"

You could create a new field by combining two fields together

 index="foo" "some error condition" 
   | eval newfield=field1 + " " + field2
   | stats values(newfield) as newfieldValues

And then use $result.newfieldValues$ in slack.

Sometimes I combine the fields with an =

For example

   index="foo" "some error condition"
   | eval hostsAndValue=host + "=" + somefield
   | stats values(hostsAndValue) as badHosts

Then I use $result.badHosts$ in slack.

0 Karma
Reply
Solved! Jump to solution

nadlurinadluri
Communicator
‎08-17-2018 02:50 PM

Sorry for the delay!! But I did something similar, to get the required output!! After getting the output with many rows, I combined those values in a single filed (multi valued field; using mvappend)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...