How to Get Extracted Fields into Your Splunk Alerts

I’ve been continuing to improve my Splunk> game, and part of that has been improving the information that comes in email alerts.

The image above shows the final result I am looking for, where you get custom information that’s contextual to the alert that was generated.

The problem

The issue is that this doesn’t work by default. You can’t just save the search above as an alert and have it give you the results in the email above. What you’ll get instead is empty fields.

Here’s what the template looks like:

The issue is that those $result.City$ and $result.SSHExceededUser$ fields may not show up at all in the email, even if you make sure those fields are included in the search result.

The fix

The fix is easy enough, although I wish it weren’t necessary.

What you do is send your search result to the fields command, followed by the fields you want to be able to use in your email template.

Once you do that you’ll get the extracted results, as seen in the email above.

Hope this helps someone.


I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.


Leave a Reply