We are using the below query for our alert, when we receive mail we want to see MESSAGE in Alert title. In subject we give Splunk Alert: $name$. in this place when the alert is triggered we want to view that Messages in the alert title. We tried giving Splunk Alert: $result.Message$, here only 1 message is showing up not all. how can we do it??? Query: index=app-index "ERROR"
|eval Message=case(
like(_raw, "%internal error system%"), "internal error system",
like(_raw, "%connection timeout error%"), "connection timeout error",
like(_raw, "%connection error%"), "connection error",
like(_raw, "%unsuccessfull application%"), "unsuccessfull application",
like(_raw, "%error details app%"), "error details app", 1=1, null())
|stats count by Message
|eval error=case(
Message="internal error system" AND count >0,1,
Message="connection timeout error" AND count >0,1,
Message="connection error" AND count >0,1,
Message="unsuccessfull application" AND count >0,1,
Message="error details app" AND count >0,1)
|search error=1
... View more