-
Notifications
You must be signed in to change notification settings - Fork 0
Additional fields
Johan Godfried edited this page Feb 19, 2017
·
11 revisions
Any fields from the search results can be referenced in the alert message. In addition, you can add fields to the message in a table like style: a header on the left and the field value on the right. In fact, you can add any value you like here. Be that a fixed value, a result value via the macro system or Splunk token system or any other Splunk token value. Simply put it in a JSON structure. Put the header value as field name and the contents as the value:
{
'Header 1': 'fixed value',
'Header 2': '$name$',
'Header 3': '$result.fieldname$',
'Header 4': '{fieldname}'
}
- Header 1 shows the fixed value "fixed value"
- Header 2 shows the alert (savedsearch) name
- Header 3 shows the contents of the field "fieldname" from the search results. Only 1 of the results is used by Splunk so if there are multiple results, this value will always be the same
- Header 4 shows the contents of the field "fieldname" from the search results. However, if there are multiple results, it will be expanded for each of the results.