Hello Everyone,
I'm assuming this has come up before, but for the life of me I cannot find the answer.
I am trying to get the value of a field in the triggered alert name. I am using the search below to find out if any sourcetypes haven't reported between 24 and 48 hours.
| metadata type=sourcetypes
| eval age = now() - lastTime
| eval days = age / 86400
| where age >= 86400 and age < (86400*2)
The above search returns a table and one of the columns is sourcetype
. I'd like to take the value of that cell (Source A) and lace it into the alert name when it fires. Example: Source Type (Source A) has not reported in over 24 hours.
I have tried $result.sourcetype$
, but this only works in emails. I would like this to show up in the notable as well.
If I'm not at all clear or looking at this issue correctly, please let me know.
Solved the issue. For Notable triggers, you can just put $fieldname$
in the title and it will trigger with it. I had to assign the sourcetype
field to another variable with eval
, but I think this had to be done due to mapping in a configuration file.
$fieldname$
in notable trigger
$result.fieldname$
in email trigger
Solved the issue. For Notable triggers, you can just put $fieldname$
in the title and it will trigger with it. I had to assign the sourcetype
field to another variable with eval
, but I think this had to be done due to mapping in a configuration file.
$fieldname$
in notable trigger
$result.fieldname$
in email trigger
Try using in alert name $result.sourcetype$
Sorry, I should have mentioned I tried that in the Alert Title.
I may be confusing the Title with the Name, but when I tried that in the rule it fired with the literal string "$result.sourcetype$" in the name.
Not sure about the query, if the field name is correct it should get the value in $result.sourcetype$ when you add this in the alert action title . Where are you passing this variable?
I did some testing and realized that $result.sourcetype$ does work within the email trigger, but not for notable. The notable triggered with the literal string $result.sourcetype$, is there a way to make the notable trigger with a different name?
I'm not passing the variable anywhere. I thought that the alert would fire and take the cell value of "sourcetype". I updated my search by adding "| eval source_type = sourcetype" and this copies the value of "sourcetype" to "source_type". I then tried $result.source_type$ in the alert name, but still no luck.
Am I working under the incorrect assumption that this would be passing the variable?