Splunk Enterprise

How to set an email alert in Splunk?

Kk
Path Finder

Hi All, I'm to trying to set an email alert notification by using splunk. In the alert Description, I just want to mention only particular field values that search returns. I thought of using $result.fieldname$ but, As splunk says it only returns field first row value in the description. For Example:

Field name:    values

numbers        1,2,3,4,5

search: index=""|table numbers

alert Description: The number values are: $result.numbers$

O/P:

The number values are: 1

O/p Expected:

The number values are:

1,2,3,4,5

Labels (3)
0 Karma
1 Solution

FelixLeh
Contributor

True. Since he wrote "Field name:    values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

View solution in original post

0 Karma

FelixLeh
Contributor

Hi @Kk !
Untested Theory but you could try to make a hidden field like this and reference it with a result token.

 

|eventstats values(values) as _values

 

then reference it in the Mail Description like this:
$result._values$ 

VatsalJagani
SplunkTrust
SplunkTrust

Yes in your @Kk case, it would be 

|eventstats values(numbers) as _numbers

and then you can reference in your description:

$result._numbers$

 

Did you try something like this?

FelixLeh
Contributor

True. Since he wrote "Field name:    values" in the first line I thought "values" is the field name @Kk uses but the table command should've made it obvious to me

0 Karma

Kk
Path Finder

This doesn't work @FelixLeh 

0 Karma

FelixLeh
Contributor

You could also compromise to make it a visible field (eventstats values(fieldename) as new_fieldname) but then its included in your Splunk table. But then it should definitely work.

0 Karma

Kk
Path Finder

Sry, my bad. It is working now..

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...