HOW TO CHANGE THE EMAIL SUBJECT Dynamically WITH A HIDDEN FIELD

How To Change The Email Subject Dynamically With A Hidden Field

Hi Guys,
Today, we have come with another interesting trick with Splunk Alerts. We, all know that we can send mails from Splunk Alert Actions.
Now, if you want to change the subject line of the Alert’s Mail from a hidden field ?

Did you here about this before🤔

from the Alert’s query, for that we have this blog.
So, let’s start.
Step: 1
First, Sign In to your Splunk instance with your username and password.

3

Step: 2
Now, click on “Search & Reporting” app to go inside the app.

2
Step: 3
Now, please see the below query to see the dataset, which we will use to build the query of the alert.

index=test_index
| table Error,servername
| dedup Error,servername

3

Explanation:
Here, we have used the index “test_index”. Then we have used “table” and “dedup” command to show the field values of “Error” and “servername” field in tabular form.
Now, if you will check the “Error” field properly, you will find there we have the Error type (eg: FATAL ERROR, SYSTEM ERROR) with some message. Now, we basically want to send this Error type as the “Subject” of the Alert. For that, we need to extract the portion. For that, please see the next step.

You can also know about :  How To Hide And Display Panels Using Dropdown Option In Splunk Dashboard

Step: 4

index=test_index
| table Error,servername
| dedup Error,servername
| rex field=Error "(?<err>.*?)\:"
| stats values(Error),values(servername) by err

4

Here, we have extracted the Error type inside a field named “err” with “rex” command.
And, then we have added “| stats values(Error),values(servername) by err” to get the values of “Error” field (“values(Error)”) and the values of “servername” field (“values(servername)”) grouped by the field values of “err” field.
As, you can see in the above image the field “err” is visible and contains the Error type which we need to use in the subject of the Alert’s mail. Now, as we have mentioned that we want to change the subject of Alert’s mail from a hidden field, we will use a trick to hide this field “err”. For that, please see the next step.

Step: 5

index=test_index
| table Error,servername
| dedup Error,servername
| rex field=Error "(?<_err>.*?)\:"
| stats values(Error),values(servername) by _err

5

Explanation:
Here, if you check properly the above image and the above query, you can see that we have used “_” (under score ) sign before “err” while extracting the “err” field in “rex” command (“_err”). As, a result the field is not visible now in the resultset, as using “_” ( under score) sign in front of any field can make the field hidden.

NOTE: Don’t forget to change the field used for grouping by with stats command to “_err” [Please see the above image and above query].

Step: 6
Now, please click on the “Save As” option in the right side.

You can also know about :  How To find The Current Size And Total Event Count Of Any Index In Splunk

6
Step: 7
Now, click on the “Alert” option.

7
Step: 8
Now, here we will do some set up.

8

Explanation:
Here, we have given the title of the alert “Production Application Error Alert” [You can give any relevant name].
We have set up the Cron Expression as “*/2 * * * *”, so that the alert will trigger after every 2 minutes.  [You can give as per requirement.]
Now, in the Trigger option we have selected “For each result” so that the Alert will be triggered separately for each row of the resultset from the query of Alert.

9

Explanation:
Now, as we want to send mails of the Alert, we have selected the “Send email” option from “Add Actions” options.

10
Now, in “Send Email” in “To” section we have added the recipient id where we want to send the Alert’s Mail.
In the “Subject” section, we have added ( Prod Application Error: $result._err$ ) which is mainly responsible for sending the Mail Subject.
So, we have used Prod Application Error: as a string then we have added $result._err$, this means the result or the values of “_err” field will be appeared as the subject after the string Prod Application Error:  from the Alert’s query.
And we have checked the box for “Inline” with “Table” option so that we will get the result table of the Alert also in the Mail.

Step: 9

11
Explanation:
Here, you can see we got the mail with the subject line “Prod Application Error: FATAL ERROR” for the “Production Application Error Alert” with the “result table”.

12
Explanation:
Here, you can see we got the mail with the subject line “Prod Application Error: SYSTEM ERROR” for the “Production Application Error Alert” with the “result table”.
So, we are getting the dynamic subject in the Alert Mail for the “Production Application Error Alert” from a hidden field “_err”.

Hope you have understood the topic :  How To Change The Email Subject Dynamically With A Hidden Field

Happy Splunking !!!

You can also know about :  How to add scroll bar in the dashboard panel?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.