Solved: I want to use "$result." in my alert messages, but...

davidpaper · ‎11-11-2015

I want to run a search and include $result.sourcetype$ in my alert email, but it doesn't work.

http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Emailnotification says it should.

Help!

davidpaper · ‎11-11-2015

If you want to use "$result." in your alert messages (either in the subject or the body), then there are a set of commands called transforming commands that you can’t use. They are listed here:

http://docs.splunk.com/Splexicon:Transformingcommand

So, a very simple search that would allow you to include “$result.source$” in your Subject or email body would be something like:

index=foo | head 1

But if you tried to do:

index=foo | stats count

none of the $result.*$ values are available.

A request to update docs has been submitted.

View solution in original post

dmwyss · ‎10-28-2019

I had the problem that when I was using tokens from the search, no email would be sent.
Then I discovered a typo in a different field.
Once I resolved the - seemingly unrelated - problem it started working again.

davidpaper · ‎11-11-2015

If you want to use "$result." in your alert messages (either in the subject or the body), then there are a set of commands called transforming commands that you can’t use. They are listed here:

http://docs.splunk.com/Splexicon:Transformingcommand

So, a very simple search that would allow you to include “$result.source$” in your Subject or email body would be something like:

index=foo | head 1

But if you tried to do:

index=foo | stats count

none of the $result.*$ values are available.

A request to update docs has been submitted.

I want to use "$result." in my alert messages, but it doesn't work.

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes