Splunk ITSI

Why are Email notifications not sending search field data?

mark_cet
Path Finder

Hi everyone,

We have action rules in the Notable Event Aggregation Policies that send email notifications. The emails are received but they do not include the specified search field data.

In the subject and body have some of the search fields that exist (and are populated) in the episodes in the following format:

$result.<searchfield>$

E.G. $result.Message$

 

But the data from the fields are not included in the emails we receive. We have tried several different fields with the same result. Any idea what we are missing here?

Thanks.

 

Labels (3)
0 Karma
1 Solution

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

View solution in original post

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! 

That looks like the correct syntax. Have you validated that the fields you want to email are available in the notable event you are passing to the NEAP? 

/Seb  

0 Karma

mark_cet
Path Finder

Hi Seb,

Yes the fields are present in the correlation results used by the NEAP. Do the fields needs to be from the raw event, or can I use fields extracted using eval statements?

 

Thanks.

Mark

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi Mark! 

The fields can be defined by eval command or any other for that matter. 

You can also try triggering emails from the action drop down in "Episode Review", just to verify that the syntax and fields you are trying to use exist in the episodes. 

/Seb  

0 Karma

mark_cet
Path Finder

Thanks for your reply Srauhala.

I think I have found the issue. It appears to be an issue with the Splunk / ServiceNow bidirectional integration.

We are trying to send an email after the SNow incident is closed. If I send an email notification when we create the SNow incident the fields are displayed correctly.

It appears that the tokens lose their association to the episode after it's closed.

Are you aware of anything special we have to do for this scenario?

 

Thanks again.

 

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

0 Karma

mark_cet
Path Finder

Apologies for the delay.

Thanks Seb.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...