Dashboards & Visualizations

Not able to fetch extracted fields as tokens in email

Prabhakar_2
Engager

Hi,

I have extracted a field (j_scheduleid) using Interactive field extractor and I'm able to add that to the selected fields list. I created an alert and I'm able to fetch the data elements into the email using tokens like $result.host$ and $result.source$.. but the extractor field is not getting captured in the email.. like $result.j_scheduleid$

Assistance needed.

With Regards;
Rao

woodcock
Esteemed Legend

Is the alert running in the same app context as the field extraction KO exists? When you click on the alert link, is the field actually there (probably not)?

0 Karma

Prabhakar_2
Engager

You are correct. In the results link i am not able to spot the extracted field, the defaulted 3 fields are showing up. And its in the same app context where the KO (extracted fields) exists.

What could be the cause of getting the extracted field getting suppressed ?

0 Karma

woodcock
Esteemed Legend

You need to expand the effected scope of the field extraction KO or make your alert search match it's scope. It should be that if you personally own both the alert (saved search) and the field extraction KO and they are both in the same app, they should work together fine. Many people take the short-sighted approach of making the field extraction global scope but I would not do this without thinking about it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...