Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can't get alert results to show in alert e-mail messages

stillerz
Engager
‎10-25-2014 07:37 AM

Hi,

I'm on v6.1.4 and have real-time alerts configured and they are triggering and sending e-mails fine, but the e-mail message content doesn't include the results from the search/alert.

I'm trying to get some of the field names that I have defined to show up in the alert e-mail body but all I get are blanks. I've also tried just having the entire result included in the e-mail message and that shows as a blank also.

I am using the tokens $result.fieldname$ in the message. In my example, it is $result.username$ where username is a field that I have defined.

Thank you!

Tags (1)
Reply

rapmancz
Explorer
‎03-06-2016 01:17 PM

Hello, I had same issue, it did't work for me also. I solved it with explicit field definiton, in your case YOURSEARCH | fileds username, vpnuser, Reason ....

Then the tokens $result.username$, $result.vpnuser$, $result.Reason$ started to work in e-mail definition...

Reply

yemyslf
Path Finder
‎05-17-2017 05:24 AM

This worked for me...thanks!

0 Karma
Reply

nadlurinadluri
Communicator
‎08-10-2018 01:02 PM

what if we have two rows, and we need to print the second row also?

Then the tokens $result.username$, $result.vpnuser$, $result.Reason$ started to work in e-mail definition...

this will give me the first value of that field (first row), but In my case, I need 2 rows.. any idea how to solve this?

0 Karma
Reply

emasplunk
New Member
‎10-31-2014 06:24 AM

Same here for me. I want to include some of the fields from the search result in the email-body (in the best case: in the To: address as well)...

Despite the documentation stating(http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions)
I should be able to insert tokens in the mail body, all I get is empty text blocks...

I have some (custom extracted fields) "Reason" and "vpnuser" in the search result I want to show in the email. Following the documentation using the $result.fieldname$ syntax, this would look something like this:

///
Connection to ... was rejected for
userA $vpnuser$
userB $result.vpnuser$
ReasonA: $Reason$
ReasonB: $result.Reason$
in lower case: $result.reason$
///

this produces a triggered email containing:

/// Connection to ... was rejected for
userA
userB
ReasonA:
ReasonB:
in lower case:
///

Any idea how to get the fields filled in?

0 Karma
Reply

bkondakindi
Path Finder
‎10-27-2014 01:08 PM

You mean when u get the alerts when u click that link it is not redirecting to right URL or is some other issues.

more alert_actions.conf
[email]
reportPaperSize = ledger
mailserver = smtp.glb.tiaa-cref.org

[default]
hostname = complete FQDN name
maxresults = 10000
maxtime = 5m
track_alert = 0
ttl = 10p

0 Karma
Reply

stillerz
Engager
‎10-27-2014 01:22 PM

I'm not using the results URL, but instead I'm embedding fields (variables) from the results into the e-mail message body but I'm only getting blanks. I also get a blank when I try to embed all results using the token $result$, which I would expect to be text, not a URL.

Are you recommending that I check my mailserver name? If so, I'm just using a gmail account to send the alert messages.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...