Regardless of what I put in the subject of an email alert, what comes back for subject is Splunk Alert: $searchname$. I have multiple use cases where it would help to have tokens in email subject.
Config of example search from app savedsearches.conf which I can see. I am power user not Splunk admin so I can't see the system level config/defaults.
Thanks in advance.
[mysavedalert]
action.email = 1
action.email.format = table
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.message.alert = $result._raw$
action.email.reportServerEnabled = 0
action.email.subject.alert = Splunk Alert: New Failure - Client: $result.CLIENT$ Branch: $result.BRANCH$ Time: $result._time$
action.email.to = me@mycompany.com
action.email.useNSSubject = 1
alert.digest_mode = False
alert.expires = 1h
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -30m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype"]
display.general.type = statistics
display.page.search.mode = fast
display.visualizations.chartHeight = 520
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = EventKNow
request.ui_dispatch_view = search
search = "mysearch"
Bueller??? Anyone. Is there a system level setting that would prevent email titles from changing?
Hey snoobzilla , Does this got resolved, even I have same issue
You could try this Q&A to send emails to separate addresses:
So now I seem to be able to modify email subjects. Further investigation it seems like you cannot include search fields specific to results in Subject, e.g.
This string: Subject Test: Search: $name$ Results: $results.count$ Date: $result.Date$ Client: $result.Client$
In Subject: Subject Test: Search: This is Search Name Results: 1 Date: Client:
In Body: Subject Test: Search: This is Search Name Results: 1 Date: 2016/04/05 Client: 12345678
It doesn't seem to matter what other email parameters are. Per result, per search, inline table, etc, from splunkweb does not want to put $result.fieldname$ in subject.
@woodcock thanks for your feedback. Will probably go that direction.
SPLUNK: It would be extremely helpful to be able to do per result emails with field values in subject... this would allow same email to indicate actionable or not, etc. Please consider putting this capability in Splunkweb.
OK, so if we agree that this is as close as you can get, you should probably click Accept
to close the question.
I already have another alert that sends emails to different email addresses for each result using splunkweb interface and a results token. I would have liked to have custom email subject in that one too.
So thank you for the feedback, but issue I am trying to solve for is specific to email subject.
Nothing I do in splunkweb email action changes the email title from Splunk Alert: $searchname$ whether tokens are present or not.
My solution allows you to specify specific subjects using tokens.
Thanks. That may be direction I end up going in.
I was hoping to use splunkweb directly as I am not the only one facing this issue.
Right now we are having problems where scheduled jobs occasionally stop firing altogether since Search Head Clustering update, so this is on back burner at the moment.
Does every event in your results contain the both the fields CLIENT
and BRANCH
and _time
and does every event have the EXACT SAME VALUE?
No, this is an example of one where I am sending separate email for every result.