When I perform a scheduled search (or realtime search) that triggers an alert, how can I include the effective search range (dates/times) in the alert email?
For example: "Splunk Alert: Widgets sold between 10/25 08:00:00 and 10/25 18:00:00", where the search range was 8 am through 6 pm today?
At the end of the search, you could do this:
... | addinfo
| eval searchStartTime=strftime(info_min_time,"%x %X")
| eval searchEndTime=strftime(info_max_time,"%x %X")
Now the search range will be part of your search results. This is a simple thing to do.
If you really want to change the format of the alert email, take a look at this answer: