I have an alert email setup for certain events.
The 'source' file paths look like
/path/to/logs/serverInstance/siteName/logfile.txt
I want to include serverInstance
and siteName
in the body of the email.
I've tried using search condition...
|rex field=source mode=sed ....
So using this, I can see that it returns me correct data in 'source' field if I run the search in Splunk web Search app.
However, how do I have that field show up in email? Right now, if I create an alert using the above mentioned search (including rex), the email just contains raw events, and not output of rex command.
uses sendemail order the continuation of your research and especially does not forget to specify SendResults = true argument of this command, as the argument SendResults = true | false allows Determines whether the results Should Be included with the
email. Defaults to false.
index=_internal | head 5 |sendemail to=example@splunk.com
server=mail.example.com subject="Here is an email from
Splunk" message="This is an example message" sendresults=true
inline=true format=raw sendpdf=true
sendresults=true
How does your search query look like ? You can use | table command to output the fields you want