Solved: How to set an email alert in Splunk?

Kk · ‎12-16-2022

Hi All, I'm to trying to set an email alert notification by using splunk. In the alert Description, I just want to mention only particular field values that search returns. I thought of using $result.fieldname$ but, As splunk says it only returns field first row value in the description. For Example:

Field name: values

numbers 1,2,3,4,5

search: index=""|table numbers

alert Description: The number values are: $result.numbers$

O/P:

The number values are: 1

O/p Expected:

The number values are:

1,2,3,4,5

FelixLeh · ‎12-16-2022

True. Since he wrote "Field name: values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

View solution in original post

FelixLeh · ‎12-16-2022

Hi @Kk !
Untested Theory but you could try to make a hidden field like this and reference it with a result token.

|eventstats values(values) as _values

then reference it in the Mail Description like this:
$result._values$

VatsalJagani · ‎12-16-2022

Yes in your @Kk case, it would be

|eventstats values(numbers) as _numbers

and then you can reference in your description:

$result._numbers$

Did you try something like this?

FelixLeh · ‎12-16-2022

True. Since he wrote "Field name: values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

Kk · ‎12-16-2022

This doesn't work @FelixLeh

FelixLeh · ‎12-16-2022

You could also compromise to make it a visible field (eventstats values(fieldename) as new_fieldname) but then its included in your Splunk table. But then it should definitely work.

Kk · ‎12-16-2022

Sry, my bad. It is working now..

How to set an email alert in Splunk?

development

other

using Splunk Enterprise

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM