I need to pass JSON formatted data to the AWS SNS alert.
What I have is a table. I created an SNS alert (save as alert->choose AWS SNS)
When sent through SNS alert the format is not JSON.
How can I format this table in JSON?
idea 1 : use the json tool app https://splunkbase.splunk.com/app/3540/ (note, i haven't tried it, but seems to do the job)
idea 2 : use SPL to create a new field containing the entire line into JSON format, and pass this field to sns alert
index=xx
| eval message="{"
| foreach *
[eval message=if("<
| eval message=rtrim(message, " ,")| eval message=message." }"
--
then finally pass the field message : $result.message$ to sns alert