Hi,
I'm on v6.1.4 and have real-time alerts configured and they are triggering and sending e-mails fine, but the e-mail message content doesn't include the results from the search/alert.
I'm trying to get some of the field names that I have defined to show up in the alert e-mail body but all I get are blanks. I've also tried just having the entire result included in the e-mail message and that shows as a blank also.
I am using the tokens $result.fieldname$ in the message. In my example, it is $result.username$ where username is a field that I have defined.
Thank you!
Hello, I had same issue, it did't work for me also. I solved it with explicit field definiton, in your case YOURSEARCH | fileds username, vpnuser, Reason ....
Then the tokens $result.username$, $result.vpnuser$, $result.Reason$ started to work in e-mail definition...
This worked for me...thanks!
this will give me the first value of that field (first row), but In my case, I need 2 rows.. any idea how to solve this?
Same here for me. I want to include some of the fields from the search result in the email-body (in the best case: in the To: address as well)...
Despite the documentation stating(http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions)
I should be able to insert tokens in the mail body, all I get is empty text blocks...
I have some (custom extracted fields) "Reason" and "vpnuser" in the search result I want to show in the email. Following the documentation using the $result.fieldname$ syntax, this would look something like this:
///
Connection to ... was rejected for
userA $vpnuser$
userB $result.vpnuser$
ReasonA: $Reason$
ReasonB: $result.Reason$
in lower case: $result.reason$
///
this produces a triggered email containing:
/// Connection to ... was rejected for
userA
userB
ReasonA:
ReasonB:
in lower case:
///
Any idea how to get the fields filled in?
You mean when u get the alerts when u click that link it is not redirecting to right URL or is some other issues.
more alert_actions.conf
[email]
reportPaperSize = ledger
mailserver = smtp.glb.tiaa-cref.org
[default]
hostname = complete FQDN name
maxresults = 10000
maxtime = 5m
track_alert = 0
ttl = 10p
I'm not using the results URL, but instead I'm embedding fields (variables) from the results into the e-mail message body but I'm only getting blanks. I also get a blank when I try to embed all results using the token $result$, which I would expect to be text, not a URL.
Are you recommending that I check my mailserver name? If so, I'm just using a gmail account to send the alert messages.