From what I can tell it's just a straightforward field and single value from a json feed. Here's an event example from the search: { [-] action: Block asset: { [-] id: xxxxx-xxxx-xxxxx-xxxx-xxxxxxxx kind: Endpoint name: Vxxxxx3 } dataType: Event guid: 0xxxxxx id: 7c332exxxxb24e kind: TrustDowngrade occurredAt: 2025-03-18T14:56:13.748Z primaryProcess: { [+] } processes: [ [+] ] summary: { [+] } tenantId: xxxx-xxxxx-xxxx-xxxx-xxxxxxxx It's json data so the field format on the thing I want ends up being asset.name and the data does show Vxxxxx3. I thought maybe it was a search timing thing, like the field wasn't there when the search was run in the alert (seemed unlikely, but I'm having no luck so far in figuring this out) so I did a rex on the raw data to pull the data I wanted using: | rex field=_raw "\"name\":\"(?<hostname>[^\"]*)\"" and again, I now see a hostname field with the Vxxxxx3 data in it like I'd expect. But when I put $result.hostname$ into the message of the alert, all I get is a blank email. ... View more

Yes, there is a write-up here: https://splunk.my.site.com/customer/s/article/CMC ... View more

I created a support ticket, and they confirmed that this is a bug that will be fixed in the next release of SSE. However, they could not provide a date for the update and recommended that I downgrade back to 3.7.1. I did so and that worked. I've asked that they update the "Known Issues" list with this bug info. ... View more