Closed Hollerweger closed 3 years ago
Hi @Hollerweger
Any of the options from the alert action follow the standard Splunk alert action feature, which means the values can be dynamically replaced using token resulting from the search, see:
https://docs.splunk.com/Documentation/Splunk/8.1.0/Alert/EmailNotificationTokens
In short, you can for instance define the URL target within your SPL code and recycle this value dynamically, for the example purpose:
| makeresults | eval dashboard="mydashboard", message="this is a test", openurl_target="https://mysplunk.com/" . dashboard
Then you would refer to the URL target in the alert action by:
$result.openurl_target$
Hope this makses sense and I properly understood your question.
Guilhem
Thanks $result.openurl_target$
helped. Was not sure how i can reference a field. Is the "View results in Splunk" link that can be seen in e-mails directly available to reference?
@Hollerweger Yes all tokens you can see in the Email alert action documentation are available to any other alert action too. However I'd suggest to pay attention to complex links with long list to token susbsitions, I've see MS Teams not being happy with that and ignoring it or not behaving as expected. Try to keep URL simple enough (but the result link should be refereing to an SID which would be fine)
Based on documentation it should be possible to have dynamic input in the OpenURL form the search:
For me it is not clear how to include them. Eg.:
Where %correlation-id% should be replaced with the actual correlation-id.