Alerting

How to use renamed field values to dynamically populate alert values?

jmaple
Communicator

I am creating an alert and embedding the results inline. To make the table easier to digest for people who would receive the email, I renamed the fields to be a bit more friendly. The alert I am setting up would use the $result.email$ field to populate who the message is sent to. Since I've renamed the field, the result field is now different. Additionally, the new friendlier field names have spaces in them. Trying to configure the alert with the friendly name, $result."User Email"$ says it's invalid.

The documentation says, "First value for the specified field name from the first search result row. Verify that the search generates the field being accessed."

Does this mean all the fields prior to the final output of the search? If it doesn't, do I have to not rename the fields in my final result?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Did you try just this $result.User Email$? Also, it would work just fine if you could just use underscore instead of space while renaming, still keeps it readable.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Did you try just this $result.User Email$? Also, it would work just fine if you could just use underscore instead of space while renaming, still keeps it readable.

jmaple
Communicator

This works actually. I was expecting because of the space it required the quotes but it doesn't. Thanks for the awesome suggestion.

The hard part was I didn't want to test and have an email sent out on the alert before it's out of "beta" and panic someone. Luckily the results went to people that are aware of Splunk and I warned them ahead of time.

0 Karma

ppablo
Retired

Glad you found a working solution through @somesoni2! Don't forget to resolve the post by clicking Accept directly below his answer, and upvote it for helping you out 🙂

Cheers

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...