Spread our blog

How To Change The Email Subject Dynamically With A Hidden Field

Hi Guys,
Today, we have come with another interesting trick with Splunk Alerts. We, all know that we can send mails from Splunk Alert Actions.
Now, if you want to change the subject line of the Alert’s Mail from a hidden field ?

Did you here about this before🤔

from the Alert’s query, for that we have this blog.
So, let’s start.
Step: 1
First, Sign In to your Splunk instance with your username and password.

3

Step: 2
Now, click on “Search & Reporting” app to go inside the app.

2
Step: 3
Now, please see the below query to see the dataset, which we will use to build the query of the alert.

index=test_index
| table Error,servername
| dedup Error,servername

3

Explanation:
Here, we have used the index “test_index”. Then we have used “table” and “dedup” command to show the field values of “Error” and “servername” field in tabular form.
Now, if you will check the “Error” field properly, you will find there we have the Error type (eg: FATAL ERROR, SYSTEM ERROR) with some message. Now, we basically want to send this Error type as the “Subject” of the Alert. For that, we need to extract the portion. For that, please see the next step.

Step: 4

index=test_index
| table Error,servername
| dedup Error,servername
| rex field=Error "(?<err>.*?)\:"
| stats values(Error),values(servername) by err

4

Here, we have extracted the Error type inside a field named “err” with “rex” command.
And, then we have added “| stats values(Error),values(servername) by err” to get the values of “Error” field (“values(Error)”) and the values of “servername” field (“values(servername)”) grouped by the field values of “err” field.
As, you can see in the above image the field “err” is visible and contains the Error type which we need to use in the subject of the Alert’s mail. Now, as we have mentioned that we want to change the subject of Alert’s mail from a hidden field, we will use a trick to hide this field “err”. For that, please see the next step.

You can also know about :  How to change width of a dashboard panel?

Step: 5

index=test_index
| table Error,servername
| dedup Error,servername
| rex field=Error "(?<_err>.*?)\:"
| stats values(Error),values(servername) by _err

5

Explanation:
Here, if you check properly the above image and the above query, you can see that we have used “_” (under score ) sign before “err” while extracting the “err” field in “rex” command (“_err”). As, a result the field is not visible now in the resultset, as using “_” ( under score) sign in front of any field can make the field hidden.

NOTE: Don’t forget to change the field used for grouping by with stats command to “_err” [Please see the above image and above query].

Step: 6
Now, please click on the “Save As” option in the right side.

6
Step: 7
Now, click on the “Alert” option.

7
Step: 8
Now, here we will do some set up.

8

Explanation:
Here, we have given the title of the alert “Production Application Error Alert” [You can give any relevant name].
We have set up the Cron Expression as “*/2 * * * *”, so that the alert will trigger after every 2 minutes.  [You can give as per requirement.]
Now, in the Trigger option we have selected “For each result” so that the Alert will be triggered separately for each row of the resultset from the query of Alert.

9

Explanation:
Now, as we want to send mails of the Alert, we have selected the “Send email” option from “Add Actions” options.

10
Now, in “Send Email” in “To” section we have added the recipient id where we want to send the Alert’s Mail.
In the “Subject” section, we have added ( Prod Application Error: $result._err$ ) which is mainly responsible for sending the Mail Subject.
So, we have used Prod Application Error: as a string then we have added $result._err$, this means the result or the values of “_err” field will be appeared as the subject after the string Prod Application Error:  from the Alert’s query.
And we have checked the box for “Inline” with “Table” option so that we will get the result table of the Alert also in the Mail.

Step: 9

11
Explanation:
Here, you can see we got the mail with the subject line “Prod Application Error: FATAL ERROR” for the “Production Application Error Alert” with the “result table”.

12
Explanation:
Here, you can see we got the mail with the subject line “Prod Application Error: SYSTEM ERROR” for the “Production Application Error Alert” with the “result table”.
So, we are getting the dynamic subject in the Alert Mail for the “Production Application Error Alert” from a hidden field “_err”.

Hope you have understood the topic :  How To Change The Email Subject Dynamically With A Hidden Field

Happy Splunking !!!

You can also know about :  Create A Comment Box In Splunk Dashboard

What’s your Reaction?
+1
+1
+1
+1
+1
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here