Solved: How to set an email alert in Splunk?

Kk · ‎12-16-2022

Hi All, I'm to trying to set an email alert notification by using splunk. In the alert Description, I just want to mention only particular field values that search returns. I thought of using $result.fieldname$ but, As splunk says it only returns field first row value in the description. For Example:

Field name: values

numbers 1,2,3,4,5

search: index=""|table numbers

alert Description: The number values are: $result.numbers$

O/P:

The number values are: 1

O/p Expected:

The number values are:

1,2,3,4,5

FelixLeh · ‎12-16-2022

True. Since he wrote "Field name: values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

View solution in original post

FelixLeh · ‎12-16-2022

Hi @Kk !
Untested Theory but you could try to make a hidden field like this and reference it with a result token.

|eventstats values(values) as _values

then reference it in the Mail Description like this:
$result._values$

VatsalJagani · ‎12-16-2022

Yes in your @Kk case, it would be

|eventstats values(numbers) as _numbers

and then you can reference in your description:

$result._numbers$

Did you try something like this?

FelixLeh · ‎12-16-2022

True. Since he wrote "Field name: values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

Kk · ‎12-16-2022

This doesn't work @FelixLeh

FelixLeh · ‎12-16-2022

You could also compromise to make it a visible field (eventstats values(fieldename) as new_fieldname) but then its included in your Splunk table. But then it should definitely work.

Kk · ‎12-16-2022

Sry, my bad. It is working now..

How to set an email alert in Splunk?

development

other

using Splunk Enterprise

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!