Solved: Display 'Description' field in the emailed results...

nocostk · ‎02-09-2011

When setting up a scheduled search there is a field 'Description'. I use this field to note ticket numbers, wiki articles, etc. I'd like this field to be shown in the emailed results of my saved searches. Is there a way to do this?

nocostk · ‎02-10-2011

According to Splunk support there is no way to do this. A feature request was submitted.

View solution in original post

nocostk · ‎02-10-2011

According to Splunk support there is no way to do this. A feature request was submitted.

gkanapathy · ‎02-10-2011

The email script could in principle be modified to take the saved search name and make a REST API call to get the description, but that part of the API isn't fully published and it seems like a lot of trouble right now.

Brian_Osburn · ‎02-09-2011

Can you provide the query you are running to generate the scheduled search?

You may be able to to send everything to:

| table field1,field2,description

Brian_Osburn · ‎02-11-2011

Ahhhh. Looks like i totally missed the point of the question. sorry about that

nocostk · ‎02-09-2011

Hmm, well it could be any query. For example, I could just setup an alert to notify me if "foo" was found in my apache logs. What I'm looking for is to include the description defined in the alert creation within the emailed alert.

Display 'Description' field in the emailed results of a scheduled search.

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?