Hello Everyone,
I'm assuming this has come up before, but for the life of me I cannot find the answer.
I am trying to get the value of a field in the triggered alert name. I am using the search below to find out if any sourcetypes haven't reported between 24 and 48 hours.
| metadata type=sourcetypes
| eval age = now() - lastTime
| eval days = age / 86400
| where age >= 86400 and age < (86400*2)
The above search returns a table and one of the columns is sourcetype . I'd like to take the value of that cell (Source A) and lace it into the alert name when it fires. Example: Source Type (Source A) has not reported in over 24 hours.
I have tried $result.sourcetype$ , but this only works in emails. I would like this to show up in the notable as well.
If I'm not at all clear or looking at this issue correctly, please let me know.
... View more