Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Variable reference in To: field of an email alert.

mdzmuran
Observer
‎07-19-2021 01:19 PM

Hi Splunk Team.

Can I use variable reference in To: field of an email alert? I have a distribution_list variable associated with my sourcetype and it is set to correct email address depending on date and time.  

U put $result.distribution_list$ in the To: field, but it does not send email.

Thanks

Michal

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-19-2021 02:31 PM

Hi @mdzmuran 

Yes you can use $result.distribution_list$ format in TO: field, however the search results should be having the value populated to distribution_list field, did you verify it?

How are you so sure email not been sent just checking the inbox ? Sometimes the Splunk user has been restricted to schedule alerts. Can you run following query to find out errors associated to your alert?

 

index=_internal source=*scheduler.log ERROR OR WARN

 

 To find send email errors,

 

index=_internal source=*python.log sendemail ERROR OR WARN

 

Hope mail server already configured in Splunk.

---

An upvote would be appreciated and Accept solution if this reply helps!

 

0 Karma
Reply

mdzmuran
Observer
‎07-19-2021 10:33 PM

HIi venkatasri.

The alerts are triggered, I can see them in Triggered alerts.

If I replace $result.distribution_list$ with regular email address, the emails are sent.

The queries suggested do not return any data. It may be due to access permissions, I asked administrators to run them.

One more info, it may be important. The distribution_list variable is not defined in the search query. It is defined in the Calculated Fields setting for this particular sourcetype. I can see it, however, in the search results if I run the alert query manually.picture.jpg

Michal

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-20-2021 12:20 AM

@mdzmuran 

As per docs the field shall be explicitly available in results.  Try including distribution_list to results using | fields command. Hope this helps!

$result.fieldname$First value for the specified field name from the first search result row. Verify that the search generates the field being accessed.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...