Not able to fetch extracted fields as tokens in em...

Prabhakar_2 · ‎08-09-2017

Hi,

I have extracted a field (j_scheduleid) using Interactive field extractor and I'm able to add that to the selected fields list. I created an alert and I'm able to fetch the data elements into the email using tokens like $result.host$ and $result.source$.. but the extractor field is not getting captured in the email.. like $result.j_scheduleid$

Assistance needed.

With Regards;
Rao

woodcock · ‎08-09-2017

Is the alert running in the same app context as the field extraction KO exists? When you click on the alert link, is the field actually there (probably not)?

Prabhakar_2 · ‎08-09-2017

You are correct. In the results link i am not able to spot the extracted field, the defaulted 3 fields are showing up. And its in the same app context where the KO (extracted fields) exists.

What could be the cause of getting the extracted field getting suppressed ?

woodcock · ‎08-09-2017

You need to expand the effected scope of the field extraction KO or make your alert search match it's scope. It should be that if you personally own both the alert (saved search) and the field extraction KO and they are both in the same app, they should work together fine. Many people take the short-sighted approach of making the field extraction global scope but I would not do this without thinking about it.

Not able to fetch extracted fields as tokens in email

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk