Solved: Alert email formatting issue

thepocketwade · ‎09-14-2010

I've got a saved search that's emailing me results up to this morning it was sending the results in a table with the fields I'd specified (with the fields command) in addition to _time and _raw.

This morning I decided to try and strip _time out of the table, and was unable to get _time out and keep the fields I wanted. I'm ok with that, more or less for now, but now instead of the table formatting it's all jumbled text that's hard to read. Is there a way to get the formatting back to the table?

This is the search: process="sudo" incorrect | rex "(?i)^(?:[^:]*:){3}\s+(?P\w+)\s+:" | fields uid, host, COMMAND

ftk · ‎09-14-2010

The easiest way to control which fields get passed to an alert email is with the table command instead of fields.

process="sudo" incorrect | rex "(?i)^(?:[^:]*:){3}\s+(?P\w+)\s+:" | table uid, host, COMMAND

But you could also do using fields

process="sudo" incorrect | rex "(?i)^(?:[^:]*:){3}\s+(?P\w+)\s+:" | fields - _* | fields uid, host, COMMAND

View solution in original post

ftk · ‎09-14-2010

The easiest way to control which fields get passed to an alert email is with the table command instead of fields.

process="sudo" incorrect | rex "(?i)^(?:[^:]*:){3}\s+(?P\w+)\s+:" | table uid, host, COMMAND

But you could also do using fields

process="sudo" incorrect | rex "(?i)^(?:[^:]*:){3}\s+(?P\w+)\s+:" | fields - _* | fields uid, host, COMMAND

thepocketwade · ‎09-14-2010

Thanks for your quick help. I tried using fields, but when I did "fields - _raw, _time" I wound up with other fields that hadn't previously been in the email (e.g. index, process, source etc).

ftk · ‎09-14-2010

Can you please post your saved search?

Alert email formatting issue

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team