Reporting
Highlighted

What variables can you use in email subject?

Builder

In the docs, it says

You can enter a subject header for the email (by default it is set to be Splunk Alert: $name$, where $name$ is replaced by the saved search name)

Is there a list of other variables we can use in this and are they configurable? IE can I use part of the result in the subject.

Also can we use these variables elsewhere? ie. Search for a user that has used the SU command and email them asking for a reason why.

Tags (3)
Highlighted

Re: What variables can you use in email subject?

Motivator

Has there been any developments for this since this question was asked?

0 Karma
Highlighted

Re: What variables can you use in email subject?

Builder

You can use $description$ but I have not found anything else.

Highlighted

Re: What variables can you use in email subject?

Path Finder

You can find the list of variables available in the following file:

$SPLUNK_HOME$\etc\apps\search\default\data\ui\manager\saved_searches.xml

They are designated in the XML as element names:

element name="name" label="Search name"

$name$ comes from the the element's name property

Highlighted

Re: What variables can you use in email subject?

Path Finder

Except the $name$, is there any useful example in that xml?

I found some of it & listed below (not tested), is it fine to add $xxx$ in the email subject?

  • $search$
  • $description$
  • $timerange$
  • $alert.severity$

View solution in original post

Highlighted

Re: What variables can you use in email subject?

Path Finder

It is now possible to use fields from the results of a search, here is an example subject for an e-mail alert:
Splunk Alert: $result.host$ has failed $result.failurecount$ times in $result.timerange$

Highlighted

Re: What variables can you use in email subject?

Splunk Employee
Splunk Employee

Splunk have listened.

Version 6.1 of splunk now has TO: CC: & BCC:, Priority, Subject and a multi line Message. You also have the option of including the search string or not as well as the results. And they have listed the tokens (like $alert.severity$) that can be used.

And this can be triggered from the search string with the sendmail command.

See http://docs.splunk.com/Documentation/Splunk/6.1.2/Alert/Setupalertactions#Email_notification for details. In here are the tokens

$action.email.hostname$     Hostname of the email server.
$action.email.priority$     Priority of the search.
$app$   Name of the app containing the search.
$cron_schedule$     Cron schedule for the app.
$description$   Description of the search.
$name$  Name of the search.
$next_scheduled_time$   The next time the search runs.
$owner$     Owner of the search.
$results_link$  (Alert actions and scheduled reports only) Link to the search results.
$search$    The actual search.
$trigger_date$  (Alert actions only) The date that triggers the alert.
$trigger_time$  (Alert actions only) The scheduled time the alert runs.
$type$  Indicates if the search is from an alert, report, view, or the search command.
$view_link$     Link to view the saved report.
$alert.severity$    Severity level of the alert.
$alert.expires$     Time the alert expires. 
Highlighted

Re: What variables can you use in email subject?

Path Finder

$triggertime$ can only show the epoch time, $triggertimeHMS$ can show a readable time but only in 12-H format and it's without the AM/PM indicator.

ssContent['trigger_timeHMS'] = time.strftime("%I:%M:%S", triggerSeconds)

the only way to show a proper time value is to override the sendemail.py in $SPLUNK_HOME/etc/apps/search/bin/, either by directly modifying it (not recommended) or put the updated version in another app or etc/system/

Python time format directives can be found here:
https://docs.python.org/2/library/time.html

I believe any key you can find in the ssContent array of that python script can be used in the email subject or content

0 Karma