Can't format result columns in email alert

Follow

Mike Sample

• September 06, 2017 17:42

I would like to have the alert email include only the fields stipulated in my scheduled search query. Instead, it currently includes only two raw fields, Time and Message, the latter of which happens to be a painfully verbose and impenetrable text payload (28k).

How can I configure the email alert to include just the fields I want?

1

• 

  Graham Watts

  • September 13, 2017 18:34

  Hi Mike,
  
  Can you share a sample query here? I would suggest the Fields operator to list only the fields that you want as the columns in the results of the Scheduled Search.

  1

  Comment actions Permalink
• 

  David Micallef

  • December 04, 2019 17:06

  I have a similar problem with the csv produced my scheduled search. I have used the fields operator as follows to exclude the Message, Host, Name, and Category data from my search results:

  | fields - _raw, _source, _sourceCategory, _sourceHost, _sourceName

   

  However, the csv includes empty columns for Message, Host, Name, and Category. Screen shot posted below. Is it possible to remove these columns from the csv report?

  

  0

  Comment actions Permalink

Please sign in to leave a comment.