Skip to content

Additional fields

Jump to bottom
Johan Godfried edited this page Mar 20, 2017 · 11 revisions

Any fields from the search results can be referenced in the alert message. In addition, you can add fields to the message in a table like style: a header on the left and the field value on the right.

There are 3 parts in this section. First you can decide to put all fields from the search result in the message by clicking the Yes button. If the Yes button is not selected. You can specify which fields need to be send to the message by specifying them in the second field with comma separation. For both these options, the fieldname from the search result will be the header on the left and the value will be placed on the right.

The third section will come in effect when both the first option is NOT Yes and the second option is empty. In fact, you can add any value you like here. Be that a fixed value, a result value via the macro system or Splunk token system or any other Splunk token value. Simply put it in a JSON structure. Put the header value as field name and the contents as the value:

{
    'Header 1': 'fixed value',
    'Header 2': '$name$',
    'Header 3': '$result.fieldname$',
    'Header 4': '{fieldname}'
}
  • Header 1 shows the fixed value "fixed value"
  • Header 2 shows the alert (savedsearch) name
  • Header 3 shows the contents of the field "fieldname" from the search results. Only 1 of the results is used by Splunk so if there are multiple results, this value will always be the same
  • Header 4 shows the contents of the field "fieldname" from the search results. However, if there are multiple results, it will be expanded for each of the results.
Clone this wiki locally