I am alerting on a failed login search provided below:-
host=CATSG14 "Failed login" GATEWAY="***" USER_IDv3="***"| stats count by USER_IDv3
I would like my email alert to say:-
The alert condition for '$name$' was triggered.
User $result.USER_IDv3$ is having trouble accessing the $GATEWAY$ gateway.
The email picks out the USER_IDv3 field but leaves the GATEWAY field blank. Is there anyway to grab the GATEWAY field?
↧