Splunk Search

How to include the output of the rex command in the body of an alert email?

tirednboreditwo
Engager

I have an alert email setup for certain events.

The 'source' file paths look like
/path/to/logs/serverInstance/siteName/logfile.txt

I want to include serverInstance and siteName in the body of the email.

I've tried using search condition...

|rex field=source  mode=sed  ....

So using this, I can see that it returns me correct data in 'source' field if I run the search in Splunk web Search app.

However, how do I have that field show up in email? Right now, if I create an alert using the above mentioned search (including rex), the email just contains raw events, and not output of rex command.

Tags (4)
0 Karma

fdi01
Motivator

uses sendemail order the continuation of your research and especially does not forget to specify SendResults = true argument of this command, as the argument SendResults = true | false allows Determines whether the results Should Be included with the
email. Defaults to false.

index=_internal | head 5 |sendemail to=example@splunk.com
server=mail.example.com subject="Here is an email from
Splunk" message="This is an example message" sendresults=true
inline=true format=raw sendpdf=true
sendresults=true

0 Karma

pradeepkumarg
Influencer

How does your search query look like ? You can use | table command to output the fields you want

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...