O'Neil Tomlinson
Reputation: 888
Getting value from splunk search result to Email Alert Message
Im trying to get values from a splunk search into an email alert Message. My splunk search query used to trigger an alert is "resourceGroup="myResourceGroup" severity="Error" (simplified version). The output of the search looks like this
{
msg: Error encountered will getting details from API
resourceGroup: myResourceGroup
severity: Error
sourceContext: SystemContext
success: false
}
Q1: How do i get the msg value from the search result in my email alert? Below is a screen shot of splunk Alert Email Message Box?
Q2: Say i wanted to send msg and sourceContext, is there a way to insert ONLY these fields into a custom table?
.
Upvotes: 1
Views: 2011
Answers (1)
RichG
Reputation: 9926
The first step is to extract the fields you want to use in the alert. A simple way to do that (if not already done) is with rex.
resourceGroup="myResourceGroup" severity="Error"
| rex "msg: (?<msg>[^\n}+)"
| rex "sourceContext: (?<sourceContext>\S+)"
Then reference the fields within $ in the alert message.
Msg = $msg$
sourceContext = $sourceContext$
Upvotes: 0
Related Questions
- SPLUNK use result from first search in second search
- How can we create splunk alerts using config files?
- How to extract a field from a Splunk search result and do stats on the value of that field
- Splunk base search on dashboard and post processing the results
- Splunk Alert Creation
- Setting up Splunk alerting
- Setting up alerts for metrics in Splunk
- Assign a value to the variable in Splunk and use that value in the search
- How to make an Alert in Splunk?
- Splunk alert based on the search result value