Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set an email alert in Splunk?

Kk
Path Finder
‎12-16-2022 02:22 AM

Hi All, I'm to trying to set an email alert notification by using splunk. In the alert Description, I just want to mention only particular field values that search returns. I thought of using $result.fieldname$ but, As splunk says it only returns field first row value in the description. For Example:

Field name:    values

numbers        1,2,3,4,5

search: index=""|table numbers

alert Description: The number values are: $result.numbers$

O/P:

The number values are: 1

O/p Expected:

The number values are:

1,2,3,4,5

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎12-16-2022 05:52 AM

True. Since he wrote "Field name:    values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

View solution in original post

0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎12-16-2022 04:58 AM

Hi @Kk !
Untested Theory but you could try to make a hidden field like this and reference it with a result token.

 

|eventstats values(values) as _values

 

then reference it in the Mail Description like this:
$result._values$ 

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎12-16-2022 05:49 AM

Yes in your @Kk case, it would be 

|eventstats values(numbers) as _numbers

and then you can reference in your description:

$result._numbers$

 

Did you try something like this?

Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎12-16-2022 05:52 AM

True. Since he wrote "Field name:    values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

0 Karma
Reply
Solved! Jump to solution

Kk
Path Finder
‎12-16-2022 05:45 AM

This doesn't work @FelixLeh 

0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎12-16-2022 05:50 AM

You could also compromise to make it a visible field (eventstats values(fieldename) as new_fieldname) but then its included in your Splunk table. But then it should definitely work.

0 Karma
Reply
Solved! Jump to solution

Kk
Path Finder
‎12-16-2022 06:14 AM

Sry, my bad. It is working now..

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...