Splunk ITSI

Why are Email notifications not sending search field data?

mark_cet
Path Finder

Hi everyone,

We have action rules in the Notable Event Aggregation Policies that send email notifications. The emails are received but they do not include the specified search field data.

In the subject and body have some of the search fields that exist (and are populated) in the episodes in the following format:

$result.<searchfield>$

E.G. $result.Message$

 

But the data from the fields are not included in the emails we receive. We have tried several different fields with the same result. Any idea what we are missing here?

Thanks.

 

Labels (3)
0 Karma
1 Solution

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

View solution in original post

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! 

That looks like the correct syntax. Have you validated that the fields you want to email are available in the notable event you are passing to the NEAP? 

/Seb  

0 Karma

mark_cet
Path Finder

Hi Seb,

Yes the fields are present in the correlation results used by the NEAP. Do the fields needs to be from the raw event, or can I use fields extracted using eval statements?

 

Thanks.

Mark

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi Mark! 

The fields can be defined by eval command or any other for that matter. 

You can also try triggering emails from the action drop down in "Episode Review", just to verify that the syntax and fields you are trying to use exist in the episodes. 

/Seb  

0 Karma

mark_cet
Path Finder

Thanks for your reply Srauhala.

I think I have found the issue. It appears to be an issue with the Splunk / ServiceNow bidirectional integration.

We are trying to send an email after the SNow incident is closed. If I send an email notification when we create the SNow incident the fields are displayed correctly.

It appears that the tokens lose their association to the episode after it's closed.

Are you aware of anything special we have to do for this scenario?

 

Thanks again.

 

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

0 Karma

mark_cet
Path Finder

Apologies for the delay.

Thanks Seb.

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...