Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

ITSI Notable Event Email Action

Justinboucher0
Path Finder
‎08-16-2018 08:47 AM

What are the actual $result.fieldname$ tokens that are available in ITSI Notable Events for the Send to Email action. I'm trying to access the notable event title, description, and whatever other fields I can access from the notable event.

Reply

jaime_ramirez
Communicator
‎07-17-2019 12:57 PM

Hi

Each of the notable events is generated either by a correlation search, multi-kpi alerts, grouping event or alert action. Each one of this carries different $result.fieldnames$.

For the correlation searches and multi-kpi alerts you can check the fields available and their names by executing the search that generated the notable event (Go to Configure -> Correlation Searches and copy the Search string defined).

Also you can check the fields avilable in both the itsi_tracked_alerts and itsi_grouped_alerts indexes. Both of then store the notable events generated by ITSI.

index=itsi_grouped_alerts OR index=itsi_tracked_alerts

Cheers!!!

0 Karma
Reply

roman3ro
Engager
‎07-09-2019 09:04 AM

Take a look at this search from the _internal index:

index=_internal sendemail sourcetype=itsi_internal_log

And you should see the search that ITSI is running. That will look something like this:

2019-07-09 11:53:02,134 INFO [itsi.controllers.itoa_rest_interface_provider] [notable_event_actions] [execute_action] [9969] Generated search command= search itsi_event_management_group_index itsi_group_id="5a5eb01b-0a1a-45ac-b4c5-15696d3ac9ad" | dedup itsi_group_id | itsi_notable_group_lookup | sendemail "email" subject="$result.itsi_group_description$" message="$result.service_name$ is currently in $result.severity_label$ with a value of $result.severity_value$ at $result.actual_time$

Execute the generated search command and that will show you the fields that are available.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...