Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Email notifications not sending search field data?

mark_cet
Path Finder
‎06-30-2023 03:34 AM

Hi everyone,

We have action rules in the Notable Event Aggregation Policies that send email notifications. The emails are received but they do not include the specified search field data.

In the subject and body have some of the search fields that exist (and are populated) in the episodes in the following format:

$result.<searchfield>$

E.G. $result.Message$

 

But the data from the fields are not included in the emails we receive. We have tried several different fields with the same result. Any idea what we are missing here?

Thanks.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎07-10-2023 12:57 AM

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

View solution in original post

0 Karma
Reply
Solved! Jump to solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎07-03-2023 03:56 AM

Hi! 

That looks like the correct syntax. Have you validated that the fields you want to email are available in the notable event you are passing to the NEAP? 

/Seb  

0 Karma
Reply
Solved! Jump to solution

mark_cet
Path Finder
‎07-03-2023 08:50 AM

Hi Seb,

Yes the fields are present in the correlation results used by the NEAP. Do the fields needs to be from the raw event, or can I use fields extracted using eval statements?

 

Thanks.

Mark

 

0 Karma
Reply
Solved! Jump to solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎07-04-2023 02:01 AM

Hi Mark! 

The fields can be defined by eval command or any other for that matter. 

You can also try triggering emails from the action drop down in "Episode Review", just to verify that the syntax and fields you are trying to use exist in the episodes. 

/Seb  

0 Karma
Reply
Solved! Jump to solution

mark_cet
Path Finder
‎07-04-2023 04:52 AM

Thanks for your reply Srauhala.

I think I have found the issue. It appears to be an issue with the Splunk / ServiceNow bidirectional integration.

We are trying to send an email after the SNow incident is closed. If I send an email notification when we create the SNow incident the fields are displayed correctly.

It appears that the tokens lose their association to the episode after it's closed.

Are you aware of anything special we have to do for this scenario?

 

Thanks again.

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎07-10-2023 12:57 AM

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

0 Karma
Reply
Solved! Jump to solution

mark_cet
Path Finder
‎07-17-2023 07:47 AM

Apologies for the delay.

Thanks Seb.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...