Re: Plain Text Email options

diegosainz · ‎11-15-2012

I would like to modify the plain text email option to remove the _raw and the dashes from the top of the email. Is there a simple way to make that modification?

itinney · ‎11-15-2012

The inclusion of the _raw field is down to the search itself, so you can have it excluded by using the fields command, i.e.

sourcetype=blah | fields - _raw

or to exclude all hidden fields

sourcetype=blah | fields - _*

If you really only need specific fields, then use the table command to specify which fields you want displayed,
i.e.

sourcetype=blah | table source, sourcetype, host, index

The dashes at the top underline the header row, do you not want any column headings? Without the _raw field you will only have a table of fields and the header row is surely useful?

itinney · ‎11-15-2012

It might help to include your search, but I would guess that the search just needs to have the following added to the end of it:
... | fields - _raw

diegosainz · ‎11-15-2012

Thanks for the quick response. I am looking to have the email sent to an automated ticketing system and would like just the field data in there. I have removed all but the _raw field and do not have a table in the plain test. The dashes themselves are more cosmetic for removal.

Plain Text Email options

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...