Regardless of what I put in the subject of an email alert, what comes back for subject is Splunk Alert: $searchname$. I have multiple use cases where it would help to have tokens in email subject.
Config of example search from app savedsearches.conf which I can see. I am power user not Splunk admin so I can't see the system level config/defaults.
1. Is the alert config below properly set up to send tokenized email subject?
2. If config is correct below, what would prevent it from coming thru at the system level (what should I ask Splunk admin to look at?). I suspect something in a higher level conf file.
Thanks in advance.
[mysavedalert]
action.email = 1
action.email.format = table
action.email.include.results_link = 0
action.email.include.view_link = 0
action.email.message.alert = $result._raw$
action.email.reportServerEnabled = 0
action.email.subject.alert = Splunk Alert: New Failure - Client: $result.CLIENT$ Branch: $result.BRANCH$ Time: $result._time$
action.email.to = me@mycompany.com
action.email.useNSSubject = 1
alert.digest_mode = False
alert.expires = 1h
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -30m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype"]
display.general.type = statistics
display.page.search.mode = fast
display.visualizations.chartHeight = 520
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = EventKNow
request.ui_dispatch_view = search
search = "mysearch"
↧