Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email. What I often do is format up special fields to use in email/slack that are easier for the user to see. For example, I have a search that shows me missing indexers in a cluster manager. My code snippet is | eval cluster_manager=host | stats count by missing_indexer,cluster_manager | eval missing_indexer_cm=missing_indexer + " (" + cluster_manager + ")" | eventstats values(missing_indexer_cm) as missing_indexer_cm   I create a new field missing_indexer_cm which combines 2 fields missing_indexer and cluster_manager So the output is approximately this missing_indexer cluster_manager count missing_indexer_cm --------------- --------------- ----- ------------------- idx1.foo.com cm3.foo.com 42 idx1.foo.com (cm3.foo.com) And then in alerting I use $result.missing_indexer_cm$ but when users click on the results of the search they see the above with all the info   ... View more

Sorry, it was a mistake on my part.  It should have been sourceCorrelationId instead of correlationId.  Both are valid keys in the log. When I used sourceCorrs a am accepting that elationId in the example you provided, it worked. I am accepting that as solution. Thanks for your help.   ... View more

This is not returning any data - I also tried changing the _time to publish date like below index=our-applications env=prod | eval publishTime=strptime(eventPublishTime, "%Y-%m-%dT%H:%M:%S.3N%Z") | bin span=30m publishTime | convert timeformat="%H:%M" ctime(publishTime) AS PublishHrMin | convert timeformat="%Y-%m-%d" ctime(publishTime) AS PublishDate | stats c(PublishHrMin) AS PublishHrMinCount by PublishDate, parentEventName, PublishHrMinMinCount by PublishDate, parentEventName, PublishHrMin   Am I missing something or doing something wrong ? Thanks ... View more