Same here for me. I want to include some of the fields from the search result in the email-body (in the best case: in the To: address as well)...
Despite the documentation stating(http://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions)
I should be able to insert tokens in the mail body, all I get is empty text blocks...
I have some (custom extracted fields) "Reason" and "vpnuser" in the search result I want to show in the email. Following the documentation using the $result.fieldname$ syntax, this would look something like this:
///
Connection to ... was rejected for
userA $vpnuser$
userB $result.vpnuser$
ReasonA: $Reason$
ReasonB: $result.Reason$
in lower case: $result.reason$
///
this produces a triggered email containing:
/// Connection to ... was rejected for
userA
userB
ReasonA:
ReasonB:
in lower case:
///
Any idea how to get the fields filled in?
... View more