All Apps and Add-ons

Email alert fields interpolation

yusufhc
New Member

I am trying to format the alert email triggered on an event. I have the following search query, which WORKS. It lists all the three fields

configurationItem.resourceType=TERM(AWS::EC2::SecurityGroup) configurationItemDiff.changeType=UPDATE "configurationItem.configuration.ipPermissions{}.ipRanges{}"="0.0.0.0/0" | fields + configurationItem.configuration.groupName,configurationItem.configuration.groupId,configurationItem.configuration.ipPermissions{}.fromPort

In the email action I have the following:

The security group "$result.configurationItem.configuration.groupName$" with group id: "$result.configurationItem.configuration.groupId$" was modified to allow ingress from 0.0.0.0/0 on port "$result.configurationItem.configuration.ipPermissions{}.fromPort$". This is against security best practices.

The output (email received) is:
The security group "management-sonar" with group id: "sg-0869426c" was modified to allow ingress from 0.0.0.0/0 on port "$result.configurationItem.configuration.ipPermissions{}.fromPort$". This is against security best practices.

The fromPort field is not interpolated. Any advice on why this doesn't work?

Regards.

0 Karma

yusufhc
New Member

Got this working by tweaking the query to include rename

configurationItem.resourceType=TERM(AWS::EC2::SecurityGroup) configurationItemDiff.changeType=UPDATE "configurationItem.configuration.ipPermissions{}.ipRanges{}"="0.0.0.0/0" | fields + configurationItem.configuration.groupName,configurationItem.configuration.groupId,configurationItem.configuration.ipPermissions{}.fromPort | rename configurationItem.configuration.ipPermissions{}.fromPort AS fromPort

and including "fromPort" field in the email template:
The security group "$result.configurationItem.configuration.groupName$" with group id: "$result.configurationItem.configuration.groupId$" was modified to allow ingress from 0.0.0.0/0 on port "$result.fromPort$". This is against security best practices.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...