Splunk IT Service Intelligence: Notable Event Poli...

andykoopa · ‎08-12-2019

Hi,

I am trying to include a url for a report in my notable event email. I would like the url to use the result time token as the latest field, and the time-60m as the earliest. So that if I check the email hours later I can still see the report from the events time frame.

Example url in email message body:
Report:
https://blahblahblahReport&earliest=&amplatest=

I have tried:
https://blahblahblahReport&earliest=$result._time$-60m&amplatest=$result._time$
AND
https://blahblahblahReport&earliest=$result._time-60m$&amplatest=$result._time$

But they do not seem to work. The result._time value itself is fine, it is a matter of doing the result._time-60m for earliest. If I hard code the values it works so I know it is possible with the configured report.

Has anyone had experience in doing this? I appreciate the time and help 🙂

-Andy

esnyder_splunk · ‎10-21-2019

Hi Andy, here are the docs for configuring tokens in emails. If this doesn't help, please let me know how we can enhance the docs https://docs.splunk.com/Documentation/ITSI/latest/User/Setupandrunnotableeventactions#Send_an_email

Splunk IT Service Intelligence: Notable Event Policy Email Tokens

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...