Splunk Search
Highlighted

How to select fields for email alert

Splunk Employee
Splunk Employee

Is there any way to control the reported fields in an email alert? I have configured splunk to add the search results inline, but I don't need all the fields it is showing. I only want the host and _raw fields to show up in the email. Can you point me in the direction where I can change this behavior?

Highlighted

Re: How to select fields for email alert

Splunk Employee
Splunk Employee

You can control this by appending "| fields + host,_raw" to the search string

View solution in original post

Highlighted

Re: How to select fields for email alert

Splunk Employee
Splunk Employee

This is exactly what I was looking for. Thank you

0 Karma
Highlighted

Re: How to select fields for email alert

Path Finder

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

View solution in original post

Highlighted

Re: How to select fields for email alert

Splunk Employee
Splunk Employee

Thank you for the answer, this is helpful.

0 Karma