the value for timestamp_begin is also not enclosed by quotes. So you won't get the fields: timestamp_begin, message and level. Enclosing the value in quotes fixes it.
... View more
It looks like it's not extracting successfully because the "clientId is missing a closing quote. Adding in back in and using the following settings extracts the fields successfully: BREAK_ONLY_BEFORE = ^{ \"sessionId
MUST_BREAK_AFTER = }$
TIME_PREFIX = timestamp\"\:\ \"
KV_MODE = json
... View more
use the param.search_name="YOUR CUSTOM NAME". you can update the other fields in similar fashion: param.notable_field="YOUR VALUE"
sendalert documentation
... View more
You may need to create a click event handler and set preventDefault();
See this example of custom handlers:
http://dev.splunk.com/view/webframework-codeexamples/SP-CAAAEV8
... View more
Yes, change the link target.
https://docs.splunk.com/Documentation/Splunk/7.0.0/Viz/DrilldownLinkToDashboard#Open_the_target_in_another_browser_tab
... View more
Have you tried the curl --data-urlencode option instead of -d? I suspect it's because your query is being mangled in transport. Do the Splunk logs give you any information on the search that was received when sent my curl?
... View more
You have the SID of the search that triggered the alert -rt_scheduler_adminsearch_RMD5cf6dac5adc7385e1_at_1510141830_38328.0
Then use one of the endpoints (/services/search/jobs, /services/search/jobs/{search_id}/results) to get the search results using the SID.
... View more
'click.name2' == "type_2"
I've had mixed results using $ for tokens. Use single quotes instead. You also need encoded quotes for the literal value.
... View more