Solved: How to select fields for email alert

Jaci · ‎05-06-2010

Is there any way to control the reported fields in an email alert? I have configured splunk to add the search results inline, but I don't need all the fields it is showing. I only want the host and _raw fields to show up in the email. Can you point me in the direction where I can change this behavior?

Dan · ‎05-06-2010

You can control this by appending "| fields + host,_raw" to the search string

View solution in original post

CerielTjuh · ‎05-07-2010

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

View solution in original post

CerielTjuh · ‎05-07-2010

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

Jaci · ‎05-07-2010

Thank you for the answer, this is helpful.

Dan · ‎05-06-2010

You can control this by appending "| fields + host,_raw" to the search string

Jaci · ‎05-07-2010

This is exactly what I was looking for. Thank you

How to select fields for email alert

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?