Alerting

How to include search variable in email, but not display in result table

AruBhende
Explorer

I am working on creating an alert from Splunk.  In my search I am creating a variable using eval, but that is not used in the result table.  But I would like to use it in the email subject and body.

 

 

index=applications sourcetype=aws:cloudwatchlogs ((Job="*prod-job1*") OR (Job="*prod-job2*"))
| eval emailTime=strftime(now(),"%m/%d/%Y")
| stats latest(_time) as latest(s3Partition) as s3Partition  latest(field1) as field1  latest(field2) as field2 latest(emailTime) as   emailTime  by table_name 
| search field2 ="*" emailTime=*
| eval diff=(field2-field1)
| eval evt_time=strftime(_time, "%Y-%m-%d")  
| eval partition_date=substr(s3Partition, len("event_creation_time=")+1, len("yyyy-mm-dd"))
| where isnotnull(table_name) and isnotnull(emailTime) and ( evt_time == partition_date )
| table  table_name, field1, field2, diff
| sort raw_table_name
| rename table_name AS "Table Name" field1 AS "Field1 count" field2 AS "Field2 count"  diff as "Count Difference"

 

 

 

I tried using it like  -    $result.partition_date$  and  $result.emailTime$    -    in the subject and body, but the value is not getting substituted -  it appears  empty in both the places.

Is it possible to use this value in email without using it in the table for the alert?

Thank you

 

Labels (2)
0 Karma

AruBhende
Explorer

So, they are available in search results as the where clause is working.  So, if I don't want to display them I cannot include them in the email as well ?

0 Karma

burwell
SplunkTrust
SplunkTrust

Hi. Perhaps you can show what your output looks like but basically whatever the final fields are in the search results, those are the fields that can be used in email.

What I often do is format up special fields to use in email/slack that are easier for the user to see.

For example, I have a search that shows me missing indexers in a cluster manager.

My code snippet is

| eval cluster_manager=host
| stats count by missing_indexer,cluster_manager
| eval missing_indexer_cm=missing_indexer + " (" + cluster_manager + ")"
| eventstats values(missing_indexer_cm) as missing_indexer_cm

 

I create a new field missing_indexer_cm which combines 2 fields missing_indexer and cluster_manager

So the output is approximately this

missing_indexer   cluster_manager count   missing_indexer_cm
---------------   --------------- -----   -------------------
idx1.foo.com      cm3.foo.com      42      idx1.foo.com (cm3.foo.com)


And then in alerting I use $result.missing_indexer_cm$ but when users click on the results of the search they see the above with all the info

 




0 Karma

burwell
SplunkTrust
SplunkTrust

hi. Any fields you want to have reported in the email have to be available in the search results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...