In the docs, it says
You can enter a subject header for the email (by default it is set to be Splunk Alert: $name$, where $name$ is replaced by the saved search name)
Is there a list of other variables we can use in this and are they configurable? IE can I use part of the result in the subject.
Also can we use these variables elsewhere? ie. Search for a user that has used the SU command and email them asking for a reason why.
You can find the list of variables available in the following file:
They are designated in the XML as element names:
element name="name" label="Search name"
$name$ comes from the the element's name property
Except the $name$, is there any useful example in that xml?
I found some of it & listed below (not tested), is it fine to add $xxx$ in the email subject?
It is now possible to use fields from the results of a search, here is an example subject for an e-mail alert:
Splunk Alert: $result.host$ has failed $result.failurecount$ times in $result.timerange$
Splunk have listened.
Version 6.1 of splunk now has TO: CC: & BCC:, Priority, Subject and a multi line Message. You also have the option of including the search string or not as well as the results. And they have listed the tokens (like $alert.severity$) that can be used.
And this can be triggered from the search string with the sendmail command.
See http://docs.splunk.com/Documentation/Splunk/6.1.2/Alert/Setupalertactions#Email_notification for details. In here are the tokens
$action.email.hostname$ Hostname of the email server. $action.email.priority$ Priority of the search. $app$ Name of the app containing the search. $cron_schedule$ Cron schedule for the app. $description$ Description of the search. $name$ Name of the search. $next_scheduled_time$ The next time the search runs. $owner$ Owner of the search. $results_link$ (Alert actions and scheduled reports only) Link to the search results. $search$ The actual search. $trigger_date$ (Alert actions only) The date that triggers the alert. $trigger_time$ (Alert actions only) The scheduled time the alert runs. $type$ Indicates if the search is from an alert, report, view, or the search command. $view_link$ Link to view the saved report. $alert.severity$ Severity level of the alert. $alert.expires$ Time the alert expires.
$triggertime$ can only show the epoch time, $triggertimeHMS$ can show a readable time but only in 12-H format and it's without the AM/PM indicator.
ssContent['trigger_timeHMS'] = time.strftime("%I:%M:%S", triggerSeconds)
the only way to show a proper time value is to override the sendemail.py in $SPLUNK_HOME/etc/apps/search/bin/, either by directly modifying it (not recommended) or put the updated version in another app or etc/system/
Python time format directives can be found here:
I believe any key you can find in the ssContent array of that python script can be used in the email subject or content