Splunk ITSI

Why are Email notifications not sending search field data?

mark_cet
Path Finder

Hi everyone,

We have action rules in the Notable Event Aggregation Policies that send email notifications. The emails are received but they do not include the specified search field data.

In the subject and body have some of the search fields that exist (and are populated) in the episodes in the following format:

$result.<searchfield>$

E.G. $result.Message$

 

But the data from the fields are not included in the emails we receive. We have tried several different fields with the same result. Any idea what we are missing here?

Thanks.

 

Labels (3)
0 Karma
1 Solution

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

View solution in original post

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! 

That looks like the correct syntax. Have you validated that the fields you want to email are available in the notable event you are passing to the NEAP? 

/Seb  

0 Karma

mark_cet
Path Finder

Hi Seb,

Yes the fields are present in the correlation results used by the NEAP. Do the fields needs to be from the raw event, or can I use fields extracted using eval statements?

 

Thanks.

Mark

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi Mark! 

The fields can be defined by eval command or any other for that matter. 

You can also try triggering emails from the action drop down in "Episode Review", just to verify that the syntax and fields you are trying to use exist in the episodes. 

/Seb  

0 Karma

mark_cet
Path Finder

Thanks for your reply Srauhala.

I think I have found the issue. It appears to be an issue with the Splunk / ServiceNow bidirectional integration.

We are trying to send an email after the SNow incident is closed. If I send an email notification when we create the SNow incident the fields are displayed correctly.

It appears that the tokens lose their association to the episode after it's closed.

Are you aware of anything special we have to do for this scenario?

 

Thanks again.

 

 

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @mark_cet 

Great news that you fingered it out! 

Are you sending the email at the same time as you are closing the episode? If the meta data you want to pass to the email is missing in the "Closing" event, consider setting up an additional alert action to send the email post closure and or edit the bidirectional/closing correlation search to include the information you want in the email. 

/Seb

0 Karma

mark_cet
Path Finder

Apologies for the delay.

Thanks Seb.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...