How to create custom time-alert-email subject?

Vani_26 · ‎08-10-2022

I have an alert where i want the below date and time should get displayed in email subject

Here alert is getting the data from March 02,2022 8:00pm to March 03,2022 8:00pm

Like from yesterday 8:00pm to today's 8:00pm data and alert will get triggered everyday at 11pm

I want to get the date and time like shown below

March 02,2022 8:00pm to March 03,2022 8:00pm

Thanks in advance

Taruchit · ‎08-11-2022

Hi @Vani_26,

Is the time displayed in each email alert going to be the same?

Thank you

Taruchit · ‎08-11-2022

Hi @Vani_26,

Considering the following two assumptions: -

1. Your subject line will have date of a prior day and current day.

2. Your subject line will have fixed time: 8 pm.

You can try using the below: -

In SPL of your alert, towards the end, add the below code: -

|eval currentDay=strftime(now(),"%B %d, %Y")
|eval lastDay=strftime(relative_time(now(),"-d"),"%B %d, %Y")

Then in Splunk alert settings, add the following to your subject line: -

'$result.lastDay$' 8:00 pm to '$result.currentDay$' 8:00 pm

Please try at your end and share your results.

Thank you

Vani_26 · ‎08-11-2022

@Taruchit , yes it is coming as expected, but i dont want to see this lastDay and currentDay fields in the query table.

so i tried doing |fields - lastDay currentDay

but when i am adding this in the query , it is not showing up, but in the email subject it is not showing up March08,2022. this is missing.

How can do this?

diogofgm · ‎08-12-2022

If you are using the $result.fieldname$ token that field must be in the result.

------------
Hope I was able to help you. If so, some karma would be appreciated.

Taruchit · ‎08-12-2022

Hi @diogofgm,

I tried by using the below: -

|fields <list of required field names>

And in the above code I left out the fieldname that is used in Splunk alert.

But it still worked for me when I invoked that fieldname in subject line of the Splunk email alert.

Thank you

Vani_26 · ‎08-12-2022

My requirement is also same but if I don't add the field names in the query

The date and month is not getting displayed.

Taruchit · ‎08-12-2022

Hi @Vani_26,

Let us assume your Splunk alert has results with five fields with field names: - A, B, C, D, E.

You can add the below code in your SPL: -

|fields A, B, C, D, E

This will allow you to display the relevant fields only in your Splunk results and also use the two extra fields we added for adding the dates in Splunk alert.

Please share if the above helps to resolve the issue.

Thank you

Vani_26 · ‎08-12-2022

@Taruchit

I tried doing by adding

I fields a b c d

But if I don't add the date fields it is not showing up in the email subject

Please suggest

Taruchit · ‎08-12-2022

Thus, in your existing SPL of the alert, you can the following: -

|eval currentDay=strftime(now(),"%B %d, %Y")
|eval lastDay=strftime(relative_time(now(),"-d"),"%B %d, %Y")
|fields <list of field names which you need in the alert>

Please share if the above helps to accomplish your solution.

Thank you

diogofgm · ‎08-11-2022

You can use tokens on multiple alert actions fields to accomplish that.

Check this docs page:

https://docs.splunk.com/Documentation/Splunk/9.0.0/Alert/EmailNotificationTokens

------------
Hope I was able to help you. If so, some karma would be appreciated.

How to create custom time-alert-email subject?

alert action

email

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...