TechQA.

Getting value from splunk search result to Email Alert Message

1.6k views Asked by At

Im trying to get values from a splunk search into an email alert Message. My splunk search query used to trigger an alert is "resourceGroup="myResourceGroup" severity="Error" (simplified version). The output of the search looks like this

   {
   msg: Error encountered will getting details from API 
   resourceGroup: myResourceGroup
   severity: Error
   sourceContext: SystemContext
   success: false
  }

Q1: How do i get the msg value from the search result in my email alert? Below is a screen shot of splunk Alert Email Message Box?

Q2: Say i wanted to send msg and sourceContext, is there a way to insert ONLY these fields into a custom table?

.

enter image description here

email alert splunk splunk-query splunk-dashboard
Original Q&A
1

There are 1 answers

0
RichG On

The first step is to extract the fields you want to use in the alert. A simple way to do that (if not already done) is with rex.

resourceGroup="myResourceGroup" severity="Error"
| rex "msg: (?<msg>[^\n}+)"
| rex "sourceContext: (?<sourceContext>\S+)"

Then reference the fields within $ in the alert message.

Msg = $msg$
sourceContext = $sourceContext$

Related Questions in EMAIL

Related Questions in ALERT

Related Questions in SPLUNK

Related Questions in SPLUNK-QUERY

Related Questions in SPLUNK-DASHBOARD

Popular Questions

Trending Questions