Solved: action.email.message.alert value starting with a n...

mghori · ‎08-14-2019

I am trying to modify savedsearches.conf, and I wish to have the action.email.message.alert setting value be of multiple lines. This will be contained in the email body, and will inform the alert receiver on actions to perform. I am running into an issue as described below

Currently I have this configured as below

action.email.message.alert setting = some text \
additional text \
1. bullet point 1 \
2. bullet point 2 \

What I am seeing is that the alert message body is omitting any lines that start with a number, so in the above example the bullet points 1 and 2 are being omitted. Is this expected? Can lines not start with a number in the value for action.email.message.alert setting?

jawaharas · ‎08-14-2019

Interesting!

I can't reproduce the issue. Can you try to edit the email body content from GUI?

Below config worked for me:

action.email = 1
action.email.inline = 1
action.email.message.alert = The alert condition for '$name$' was triggered.\
\
1. Line one\
2. Line two
action.email.sendresults = 1

View solution in original post

mghori · ‎08-19-2019

Unfortunately I can't modify this using GUI due to company policies. But thanks for confirming that bullet points with numbers should work fine!

jawaharas · ‎08-14-2019

Interesting!

I can't reproduce the issue. Can you try to edit the email body content from GUI?

Below config worked for me:

action.email = 1
action.email.inline = 1
action.email.message.alert = The alert condition for '$name$' was triggered.\
\
1. Line one\
2. Line two
action.email.sendresults = 1

jawaharas · ‎08-19-2019

@mghori
Cool. Can you accept the answer if it helped you? Thanks.

action.email.message.alert value starting with a number

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...