macro system
Johan Godfried edited this page Feb 18, 2017
·
1 revision
Using the Splunk token system to send specific values to the Slack alert works exactly the same as for sending an email alert.
However, when you use the token system and there are multiple results for the alert, only one event is used to expand the
To work around that the macro system has been incorporated in the slackalert script. To use a macro, simply put { and } around a fieldname like this: {fieldname}
Now, when there are multiple results returned by the search, the slackalert script will send out a single alert that contains all of the result values and expand the macro for each result.