Solved: How to select fields for email alert

Jaci · ‎05-06-2010

Is there any way to control the reported fields in an email alert? I have configured splunk to add the search results inline, but I don't need all the fields it is showing. I only want the host and _raw fields to show up in the email. Can you point me in the direction where I can change this behavior?

Dan · ‎05-06-2010

You can control this by appending "| fields + host,_raw" to the search string

View solution in original post

CerielTjuh · ‎05-07-2010

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

View solution in original post

CerielTjuh · ‎05-07-2010

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

Jaci · ‎05-07-2010

Thank you for the answer, this is helpful.

Dan · ‎05-06-2010

You can control this by appending "| fields + host,_raw" to the search string

Jaci · ‎05-07-2010

This is exactly what I was looking for. Thank you

How to select fields for email alert

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!