I have an alert that sends an email every day at 6:00 AM that is formated in a table to show me the systems that have been rebooted in the last 24 hours.
in the email is the content of the search that was run:
Name: 'Server Restarts' **Query Terms: 'index=main EventCode=1074 SourceName=\"USER32\" | rex field=_raw \"Comment:\s(?.</em>)\" | rex field=Message \"The process\s(?<process>[^\s]+)\" | transaction host maxspan=5m | eval user_count=mvcount(User) | eval final_user=case(user_count == 1, User, user_count > 1, mvindex(User, user_count-1)) | eval process_count=mvcount(process) | eval final_process=case(process_count == 1, process, process_count > 1, mvindex(process, process_count-1)) | table <em>time host final_user final_process comment | rename _time AS Time | convert timeformat=\"%m/%d/%Y. %H:%M:%S\" ctime(Time) | rename final_user AS Username | rename final_process AS \"Process name\" | rename comment AS \"Comment\"' <br> Link to results: <a href="https://xxx.xxx.xxx.48:8000/app/search/@go?sid=scheduler">https://xxx.xxx.xxx.48:8000/app/search/@go?sid=scheduler</a></em><em>mikeh</em>_search_RVNDRyBTZXJ2ZXIgUmVzdGFydHM_at_1317207600_5ee867f493492a6e <br> Alert was triggered because of: 'Saved Search [Server Restarts]: number of events(4)'** </p> <p>Time host Username Process name Comment<br> 09/28/2011. 05:30:00 XXXWEB02 ESCG\cfldap winlogon.exe 60<br> 09/28/2011. 05:00:03 XXXAPP03 NT AUTHORITY\SYSTEM PSSDNSVC.EXE<br> 09/27/2011. 11:51:23 XXXUSERAPPS XXX\xxxxS Explorer.EXE<br><br> 09/27/2011. 11:22:40 XXXAPP10 NT AUTHORITY\SYSTEM svchost.exe *</p> <p>I want the email to have only the tabel without the search text in <strong>bold</strong> above</p> <p>How do i get this info out of the email alert????</p> </p>
... View more