|
I have an alert that sends an email every day at 6:00 AM that is formated in a table to show me the systems that have been rebooted in the last 24 hours. in the email is the content of the search that was run: *Name: 'Server Restarts' Query Terms: 'index=main EventCode=1074 SourceName="USER32" | rex field=_raw "Comment:\s(?<comment>.*)" | rex field=Message "The process\s(?<process>[^\s]+)" | transaction host maxspan=5m | eval user_count=mvcount(User) | eval final_user=case(user_count == 1, User, user_count > 1, mvindex(User, user_count-1)) | eval process_count=mvcount(process) | eval final_process=case(process_count == 1, process, process_count > 1, mvindex(process, process_count-1)) | table _time host final_user final_process comment | rename _time AS Time | convert timeformat="%m/%d/%Y. %H:%M:%S" ctime(Time) | rename final_user AS Username | rename final_process AS "Process name" | rename comment AS "Comment"' Link to results: @go?sid=scheduler__mikeh__search_RVNDRyBTZXJ2ZXIgUmVzdGFydHM_at_1317207600_5ee867f493492a6e">https://xxx.xxx.xxx.48:8000/app/search/@go?sid=scheduler__mikeh__search_RVNDRyBTZXJ2ZXIgUmVzdGFydHM_at_1317207600_5ee867f493492a6e Alert was triggered because of: 'Saved Search [Server Restarts]: number of events(4)' Time host Username Process name Comment
09/28/2011. 05:30:00 XXXWEB02 ESCGcfldap winlogon.exe 60
09/28/2011. 05:00:03 XXXAPP03 NT AUTHORITYSYSTEM PSSDNSVC.EXE
09/27/2011. 11:51:23 XXXUSERAPPS XXXxxxxS Explorer.EXE I want the email to have only the tabel without the search text in bold above How do i get this info out of the email alert???? |
|
This is quite easy. In Splunk, the e-mail alert is just triggered by saved-search then it will call the python script in $SPLUNK_HOME/etc/apps/search/bin/sendemail.py, and in this script, you can find part of code in mail function: |
