How to include the output of the rex command in th...

tirednboreditwo · ‎01-19-2015

I have an alert email setup for certain events.

The 'source' file paths look like
/path/to/logs/serverInstance/siteName/logfile.txt

I want to include serverInstance and siteName in the body of the email.

I've tried using search condition...

|rex field=source  mode=sed  ....

So using this, I can see that it returns me correct data in 'source' field if I run the search in Splunk web Search app.

However, how do I have that field show up in email? Right now, if I create an alert using the above mentioned search (including rex), the email just contains raw events, and not output of rex command.

fdi01 · ‎01-20-2015

uses sendemail order the continuation of your research and especially does not forget to specify SendResults = true argument of this command, as the argument SendResults = true | false allows Determines whether the results Should Be included with the
email. Defaults to false.

index=_internal | head 5 |sendemail to=example@splunk.com
server=mail.example.com subject="Here is an email from
Splunk" message="This is an example message" sendresults=true
inline=true format=raw sendpdf=true
sendresults=true

pradeepkumarg · ‎01-19-2015

How does your search query look like ? You can use | table command to output the fields you want

How to include the output of the rex command in the body of an alert email?

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to include the output of the rex command in the body of an alert email?

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!