Getting value from splunk search result to Email Alert Message

Question

Im trying to get values from a splunk search into an email alert Message. My splunk search query used to trigger an alert is "resourceGroup="myResourceGroup" severity="Error" (simplified version). The output of the search looks like this

   {
   msg: Error encountered will getting details from API 
   resourceGroup: myResourceGroup
   severity: Error
   sourceContext: SystemContext
   success: false
  }

Q1: How do i get the msg value from the search result in my email alert? Below is a screen shot of splunk Alert Email Message Box?

Q2: Say i wanted to send msg and sourceContext, is there a way to insert ONLY these fields into a custom table?

.

score 0 · Answer 1 · answered Dec 01 '22 at 01:20

The first step is to extract the fields you want to use in the alert. A simple way to do that (if not already done) is with rex.

resourceGroup="myResourceGroup" severity="Error"
| rex "msg: (?<msg>[^\n}+)"
| rex "sourceContext: (?<sourceContext>\S+)"

Then reference the fields within $ in the alert message.

Msg = $msg$
sourceContext = $sourceContext$

Getting value from splunk search result to Email Alert Message

1 Answers1