Splunk ITSI

Why are Email notifications not sending search field data?

mark_cet
Path Finder

Hi everyone,

We have action rules in the Notable Event Aggregation Policies that send email notifications. The emails are received but they do not include the specified search field data.

In the subject and body have some of the search fields that exist (and are populated) in the episodes in the following format:

$result.<searchfield>$

E.G. $result.Message$

 

But the data from the fields are not included in the emails we receive. We have tried several different fields with the same result. Any idea what we are missing here?

Thanks.

 

Labels (3)
0 Karma
1 Solution

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

View solution in original post

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! 

That looks like the correct syntax. Have you validated that the fields you want to email are available in the notable event you are passing to the NEAP? 

/Seb  

0 Karma

mark_cet
Path Finder

Hi Seb,

Yes the fields are present in the correlation results used by the NEAP. Do the fields needs to be from the raw event, or can I use fields extracted using eval statements?

 

Thanks.

Mark

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi Mark! 

The fields can be defined by eval command or any other for that matter. 

You can also try triggering emails from the action drop down in "Episode Review", just to verify that the syntax and fields you are trying to use exist in the episodes. 

/Seb  

0 Karma

mark_cet
Path Finder

Thanks for your reply Srauhala.

I think I have found the issue. It appears to be an issue with the Splunk / ServiceNow bidirectional integration.

We are trying to send an email after the SNow incident is closed. If I send an email notification when we create the SNow incident the fields are displayed correctly.

It appears that the tokens lose their association to the episode after it's closed.

Are you aware of anything special we have to do for this scenario?

 

Thanks again.

 

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

0 Karma

mark_cet
Path Finder

Apologies for the delay.

Thanks Seb.

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...