Hello Everyone,
I have created and alert which uses sendresults command to format the email notification.
But the problem i have with this is, It does not have View Splunk Results link to view the splunk results.
So i have add addinfo the search to grab search id and appended to the splunk url.
https://<hostname>:8000/en-US/app/search/search?sid=scheduler__user__search__RMD5fa2e7e4e362d_at_".$info_sid$."
| eval application_name = "<a href=https://<hostname>:8000/en-US/app/search/security_events_dashboard?form.field2=&form.application_name=" . application_name . ">" . application_name . "</a>"
| eval email_subj="Security Events Alert", email_body="<p>Hello Everyone,</p><p>You are receiving this notification because the application has one or more security events reported in the last 24 hours..<br></p><p>
Please click on the link available in the table to fetch events for specific application.</p>
</p><p>To view splunk results <a href=https://<hostname>:8000/en-US/app/search/search?sid=scheduler__user__search__RMD5fa2e7e4e362d_at_".$info_sid$.">Click here</a></p>
Iam able to receive the link but this link is not loading. Could someone please assist me on this.
I want to receive a link similar to the one which i will receive when an alert is triggered.
Regards,
Sai
Have you tried to just use $info_sid$ in href?
| eval application_name = "<a href=https://<hostname>:8000/en-US/app/search/security_events_dashboard?form.field2=&form.application_name=" . application_name . ">" . application_name . "</a>"
| eval email_subj="Security Events Alert", email_body="<p>Hello Everyone,</p><p>You are receiving this notification because the application has one or more security events reported in the last 24 hours..<br></p><p>
Please click on the link available in the table to fetch events for specific application.</p>
</p><p>To view splunk results <a href=https://<hostname>:8000/en-US/app/search/search?sid=".$info_sid$.">Click here</a></p>"
If your scheduled search has already sent an alert, you can go to "Activities" menu and find the exact URL for that search. I don't believe that Splunk accept anything except the dotted numerals SID.