Solved: Passing eval to email alert and notables

JJCO · ‎02-13-2025

Howdy,

I'm building out some alerting in Splunk ES, and created a new correlation search.
That is all working, but I'm unable to pass my eval as a value into email alert.

What I have:
| eval alert_message=range.":".sourcetype." log source has not checked in ".'Communicated Minutes Ago'." minutes. On index=".index.". Latest Event:".'Latest Event'
| table alert_message

Just running the search works, the table is there and looks correct.
I've tried variations of $alert_message$ with and without quotes, but the alert_message never gets passed to the email alert.
I haven't tried to generate a notable, but I'm guessing I'll have the same issue.

I feel like I'm missing something easy here...

richgalloway · ‎02-13-2025

Have you tried $results.alert_message$?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

livehybrid · ‎02-13-2025

Hi @JJCO

Ensure that you correctly reference your `alert_message` using the correct token syntax. In the email alert settings, you should use `$result.alert_message$`. This assumes that `alert_message` is part of the result set.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

richgalloway · ‎02-13-2025

Have you tried $results.alert_message$?

---
If this reply helps you, Karma would be appreciated.

Passing eval to email alert and notables

notable event

using Enterprise Security

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk