Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Inbuilt token in email alert is only sending first result, not all results from the column

amalkapuram
New Member
‎10-10-2017 10:42 AM

Hello Splunkers,

I am trying to setup the alerts go to email and other integrations. When I use the inbuilt tokens like "$results.x$"- it gives only the first result from the search. How should I access other fields from the search results?

My search is something like this: index=* "xxxxxx" |.....|stats count by domain, name, ip

This search usually gives 3-4 unique columns like this-
| Domain | Name | IP |
| A | B | C |
| D | E | F |
| H | I | J |

Email alert should have all the results(columns) in it. Please help.

Thanks in advance.

0 Karma
Reply

unstable23
New Member
‎06-13-2019 08:36 AM

Had the same problem but figured it out from looking at notable events, which behave the 'right' way.

At least in 7.2.x, you need to set

alert.digest_mode = 0

on the search in savedsearches.conf.
After that, using the $result.foo$ tokens in alerts will give you each of the events not just the first.

By default it's set to 1/true.

0 Karma
Reply

hardikJsheth
Motivator
‎10-11-2017 05:22 AM

I think you are using Trigger= "once" option for your alert. In case you wish to send information for each row, you can change this option to "For each result".

With this option you will be able to get appropriate value for each token $result.$. However it will trigger as many mails as number of results.

0 Karma
Reply

niketn
Legend
‎10-11-2017 12:03 AM

@amalkapuram, $result.<fieldname>$ token is built to pull only the first row. You either need to have your query to filter to specific row you are interested in, or may be try transpose command to have results in single row (not sure if it is possible for three columns in your case).

Refer to Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens#Result_tokens

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...