How to select fields for email alert

Is there any way to control the reported fields in an email alert? I have configured splunk to add the search results inline, but I don't need all the fields it is showing. I only want the host and _raw fields to show up in the email. Can you point me in the direction where I can change this behavior?

asked 06 May '10, 15:13

Jaci ♦
922●6●4●32
accept rate: 75%

2 Answers:

oldest newest most voted

4	You can control this by appending "\| fields + host,_raw" to the search string link answered 06 May '10, 15:59 Dan ♦ 1.5k●4●6●26 accept rate: 37% edited 07 May '10, 14:51 This is exactly what I was looking for. Thank you (07 May '10, 14:30) Jaci ♦

If Splunk is showing more fields then those two (_time) you can remove the fields you don't want by issuing the command | fields - _time after the | fields + host, _raw.

link

answered 07 May '10, 06:53

CerielTjuh
188●1●2●10
accept rate: 36%

Thank you for the answer, this is helpful.

(07 May '10, 14:31) Jaci ♦

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

alerts ×297
savedsearch ×248
fields ×179

Asked: 06 May '10, 15:13

Seen: 1,204 times

Last updated: 07 May '10, 14:51

How to select fields for email alert

Follow this question

Splunk Resources

Related questions