Solved: Re: How to select fields for email alert

Jaci · ‎05-06-2010

Is there any way to control the reported fields in an email alert? I have configured splunk to add the search results inline, but I don't need all the fields it is showing. I only want the host and _raw fields to show up in the email. Can you point me in the direction where I can change this behavior?

Dan · ‎05-06-2010

You can control this by appending "| fields + host,_raw" to the search string

View solution in original post

CerielTjuh · ‎05-07-2010

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

View solution in original post

CerielTjuh · ‎05-07-2010

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

Jaci · ‎05-07-2010

Thank you for the answer, this is helpful.

Dan · ‎05-06-2010

You can control this by appending "| fields + host,_raw" to the search string

Jaci · ‎05-07-2010

This is exactly what I was looking for. Thank you

How to select fields for email alert

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases