Reporting

Using $result.fieldname$ in email text/body (splunk email alert)

Communicator

I am trying to use results of an alert and send it as a slack message. The output of the alert has two rows and two columns. How to send all the output in the body? Using $result.fieldname$ gives only the first row of that field. How can we get the second row too, of that field and show that in the body?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

So let's say you were searching for

  index="foo" "some error condition"

You could create a new field by combining two fields together

 index="foo" "some error condition" 
   | eval newfield=field1 + " " + field2
   | stats values(newfield) as newfieldValues

And then use $result.newfieldValues$ in slack.

Sometimes I combine the fields with an =

For example

   index="foo" "some error condition"
   | eval hostsAndValue=host + "=" + somefield
   | stats values(hostsAndValue) as badHosts

Then I use $result.badHosts$ in slack.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

So let's say you were searching for

  index="foo" "some error condition"

You could create a new field by combining two fields together

 index="foo" "some error condition" 
   | eval newfield=field1 + " " + field2
   | stats values(newfield) as newfieldValues

And then use $result.newfieldValues$ in slack.

Sometimes I combine the fields with an =

For example

   index="foo" "some error condition"
   | eval hostsAndValue=host + "=" + somefield
   | stats values(hostsAndValue) as badHosts

Then I use $result.badHosts$ in slack.

View solution in original post

0 Karma

Communicator

Sorry for the delay!! But I did something similar, to get the required output!! After getting the output with many rows, I combined those values in a single filed (multi valued field; using mvappend)

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!