Solved: Alerts search query

Ant1D · ‎10-16-2012

Hey,

When I receive a Splunk alert, the email contains the Splunk search query which was executed in order to trigger the alert.

How do I stop the search query from being included in the body of the email alerts that get sent out?

Thanks in advance for your help.

Ant1D · ‎12-12-2012

A suitable, but possibly inefficient way to get around this would be to use search macros. The query that triggers the alert can be stored in a search macro. This would mean that when the alert is sent, the email will only contain the name of the search macro. This means that the search query is hidden from the email recipient.

View solution in original post

Ant1D · ‎12-12-2012

A suitable, but possibly inefficient way to get around this would be to use search macros. The query that triggers the alert can be stored in a search macro. This would mean that when the alert is sent, the email will only contain the name of the search macro. This means that the search query is hidden from the email recipient.

theouhuios · ‎10-16-2012

There should be a include results check box under alerts. AFAIK if you don't tick that option you won't get the results in that alert.

Ant1D · ‎10-17-2012

Unticking that box would mean that the results are not returned and the results should be returned. The search which produces those results is included in the email. This is not wanted. At present, I believe that a workaround might be to convert the search to a macro but I haven't tested this yet. If this works, then a simple macro name will be returned in the email and not the entire search query.

Alerts search query

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk