How to include the output of the rex command in th...

tirednboreditwo · ‎01-19-2015

I have an alert email setup for certain events.

The 'source' file paths look like
/path/to/logs/serverInstance/siteName/logfile.txt

I want to include serverInstance and siteName in the body of the email.

I've tried using search condition...

|rex field=source  mode=sed  ....

So using this, I can see that it returns me correct data in 'source' field if I run the search in Splunk web Search app.

However, how do I have that field show up in email? Right now, if I create an alert using the above mentioned search (including rex), the email just contains raw events, and not output of rex command.

fdi01 · ‎01-20-2015

uses sendemail order the continuation of your research and especially does not forget to specify SendResults = true argument of this command, as the argument SendResults = true | false allows Determines whether the results Should Be included with the
email. Defaults to false.

index=_internal | head 5 |sendemail to=example@splunk.com
server=mail.example.com subject="Here is an email from
Splunk" message="This is an example message" sendresults=true
inline=true format=raw sendpdf=true
sendresults=true

pradeepkumarg · ‎01-19-2015

How does your search query look like ? You can use | table command to output the fields you want

How to include the output of the rex command in the body of an alert email?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

How to include the output of the rex command in the body of an alert email?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions