Solved: Using $result.fieldname$ in email text/body (splun...

nadlurinadluri · ‎08-12-2018

I am trying to use results of an alert and send it as a slack message. The output of the alert has two rows and two columns. How to send all the output in the body? Using $result.fieldname$ gives only the first row of that field. How can we get the second row too, of that field and show that in the body?

burwell · ‎08-12-2018

So let's say you were searching for

  index="foo" "some error condition"

You could create a new field by combining two fields together

 index="foo" "some error condition" 
   | eval newfield=field1 + " " + field2
   | stats values(newfield) as newfieldValues

And then use $result.newfieldValues$ in slack.

Sometimes I combine the fields with an =

For example

   index="foo" "some error condition"
   | eval hostsAndValue=host + "=" + somefield
   | stats values(hostsAndValue) as badHosts

Then I use $result.badHosts$ in slack.

View solution in original post

burwell · ‎08-12-2018

So let's say you were searching for

  index="foo" "some error condition"

You could create a new field by combining two fields together

 index="foo" "some error condition" 
   | eval newfield=field1 + " " + field2
   | stats values(newfield) as newfieldValues

And then use $result.newfieldValues$ in slack.

Sometimes I combine the fields with an =

For example

   index="foo" "some error condition"
   | eval hostsAndValue=host + "=" + somefield
   | stats values(hostsAndValue) as badHosts

Then I use $result.badHosts$ in slack.

nadlurinadluri · ‎08-17-2018

Sorry for the delay!! But I did something similar, to get the required output!! After getting the output with many rows, I combined those values in a single filed (multi valued field; using mvappend)

Using $result.fieldname$ in email text/body (splunk email alert)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life