Dashboards & Visualizations

Adding Alert Trigger Condition (token) to Email

RMartinezDTV
Path Finder

Hello all, is there a token usable in the Email alert body that indicates the Trigger Condition?
I'm using a "Custom" trigger condition and would like to include it in the email to normalize expectations of the alert threshold.

From the documentation page (http://docs.splunk.com/Documentation/Splunk/6.3.2/Alert/Emailnotification), I see both $trigger_date and $trigger_time$ but no $trigger_condition$ or similar. Is there an undocumented token for this?

I could try to re-write the search string to include the condition but that's not exactly desirable for a few different reasons. Anyway, this seems like an obvious token that should be in place already.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

While setting up the alert from the UI, you've option to include trigger condition with the email.

See the first image on the this link
http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Configure_email_notificat...

alt text

0 Karma

RMartinezDTV
Path Finder

Yes I see that but its placement cannot be controlled. I want to include it in the main body text like in the middle of a sentence. The problem is sending to lower tier groups and those who may not be familiar with Splunk as they wouldn't understand "count > 350" for example. I can give them the Search String too but that's beyond their comprehension level.

To be honest, if Splunk provides it in the UI then I'd be surprised that it wasn't also an undocumented token. Splunk tends to "eat their own dog food" when designing UI feature.

0 Karma

isfleming
Explorer

I have the same issue when trying to write a custom alert action. I can't seem to find the token for trigger condition if it even exists. It is supplied to a standard alert actin script as a positional parameter so it must be available somewhere.

Did you have any luck in finding a token name for trigger condition?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...