I am working on creating an alert from Splunk. In my search I am creating a variable using eval, but that is not used in the result table. But I would like to use it in the email subject and body. index=applications sourcetype=aws:cloudwatchlogs ((Job="*prod-job1*") OR (Job="*prod-job2*"))
| eval emailTime=strftime(now(),"%m/%d/%Y")
| stats latest(_time) as latest(s3Partition) as s3Partition latest(field1) as field1 latest(field2) as field2 latest(emailTime) as emailTime by table_name
| search field2 ="*" emailTime=*
| eval diff=(field2-field1)
| eval evt_time=strftime(_time, "%Y-%m-%d")
| eval partition_date=substr(s3Partition, len("event_creation_time=")+1, len("yyyy-mm-dd"))
| where isnotnull(table_name) and isnotnull(emailTime) and ( evt_time == partition_date )
| table table_name, field1, field2, diff
| sort raw_table_name
| rename table_name AS "Table Name" field1 AS "Field1 count" field2 AS "Field2 count" diff as "Count Difference" I tried using it like - $result.partition_date$ and $result.emailTime$ - in the subject and body, but the value is not getting substituted - it appears empty in both the places. Is it possible to use this value in email without using it in the table for the alert? Thank you
... View more