Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can't get alert results to show in alert e-mail messages

stillerz
Engager
‎10-25-2014 07:37 AM

Hi,

I'm on v6.1.4 and have real-time alerts configured and they are triggering and sending e-mails fine, but the e-mail message content doesn't include the results from the search/alert.

I'm trying to get some of the field names that I have defined to show up in the alert e-mail body but all I get are blanks. I've also tried just having the entire result included in the e-mail message and that shows as a blank also.

I am using the tokens $result.fieldname$ in the message. In my example, it is $result.username$ where username is a field that I have defined.

Thank you!

Tags (1)
Reply

rapmancz
Explorer
‎03-06-2016 01:17 PM

Hello, I had same issue, it did't work for me also. I solved it with explicit field definiton, in your case YOURSEARCH | fileds username, vpnuser, Reason ....

Then the tokens $result.username$, $result.vpnuser$, $result.Reason$ started to work in e-mail definition...

Reply

yemyslf
Path Finder
‎05-17-2017 05:24 AM

This worked for me...thanks!

0 Karma
Reply

nadlurinadluri
Communicator
‎08-10-2018 01:02 PM

what if we have two rows, and we need to print the second row also?

Then the tokens $result.username$, $result.vpnuser$, $result.Reason$ started to work in e-mail definition...

this will give me the first value of that field (first row), but In my case, I need 2 rows.. any idea how to solve this?

0 Karma
Reply

emasplunk
New Member
‎10-31-2014 06:24 AM

Same here for me. I want to include some of the fields from the search result in the email-body (in the best case: in the To: address as well)...

Despite the documentation stating(http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions)
I should be able to insert tokens in the mail body, all I get is empty text blocks...

I have some (custom extracted fields) "Reason" and "vpnuser" in the search result I want to show in the email. Following the documentation using the $result.fieldname$ syntax, this would look something like this:

///
Connection to ... was rejected for
userA $vpnuser$
userB $result.vpnuser$
ReasonA: $Reason$
ReasonB: $result.Reason$
in lower case: $result.reason$
///

this produces a triggered email containing:

/// Connection to ... was rejected for
userA
userB
ReasonA:
ReasonB:
in lower case:
///

Any idea how to get the fields filled in?

0 Karma
Reply

bkondakindi
Path Finder
‎10-27-2014 01:08 PM

You mean when u get the alerts when u click that link it is not redirecting to right URL or is some other issues.

more alert_actions.conf
[email]
reportPaperSize = ledger
mailserver = smtp.glb.tiaa-cref.org

[default]
hostname = complete FQDN name
maxresults = 10000
maxtime = 5m
track_alert = 0
ttl = 10p

0 Karma
Reply

stillerz
Engager
‎10-27-2014 01:22 PM

I'm not using the results URL, but instead I'm embedding fields (variables) from the results into the e-mail message body but I'm only getting blanks. I also get a blank when I try to embed all results using the token $result$, which I would expect to be text, not a URL.

Are you recommending that I check my mailserver name? If so, I'm just using a gmail account to send the alert messages.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...