How to include the output of the rex command in th...

tirednboreditwo · ‎01-19-2015

I have an alert email setup for certain events.

The 'source' file paths look like
/path/to/logs/serverInstance/siteName/logfile.txt

I want to include serverInstance and siteName in the body of the email.

I've tried using search condition...

|rex field=source  mode=sed  ....

So using this, I can see that it returns me correct data in 'source' field if I run the search in Splunk web Search app.

However, how do I have that field show up in email? Right now, if I create an alert using the above mentioned search (including rex), the email just contains raw events, and not output of rex command.

fdi01 · ‎01-20-2015

uses sendemail order the continuation of your research and especially does not forget to specify SendResults = true argument of this command, as the argument SendResults = true | false allows Determines whether the results Should Be included with the
email. Defaults to false.

index=_internal | head 5 |sendemail to=example@splunk.com
server=mail.example.com subject="Here is an email from
Splunk" message="This is an example message" sendresults=true
inline=true format=raw sendpdf=true
sendresults=true

pradeepkumarg · ‎01-19-2015

How does your search query look like ? You can use | table command to output the fields you want

How to include the output of the rex command in the body of an alert email?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life