How do I include only specific fields (which are visible in query result) in the email alert attachment.

Comments

2 comments

  • Official comment
    Avatar
    Nick Wilson

    That's correct - "fields" should handle this:

    RECON_INFO_ALERT
    AND _sourcename = "api"
    | json auto nodrop
    | where %"context.info_code" = "AMOUNT_MISMATCH"
    | parse "\"row\":*,\"gateway\":" as ReconRowData nodrop
    | parse "\"AMOUNT_MISMATCH\",\"message\":\"*\"," as Message nodrop
    | parse "\"gateway\":\"*\"}" as gateway nodrop
    | fields Time, context.info_code, ReconRawData, Message, gateway

    If for some reason that doesn't work, you used to have to aggregate to get it to work (but I don't think that's still the case):

    RECON_INFO_ALERT
    AND _sourcename = "api"
    | json auto nodrop 
    | where %"context.info_code" = "AMOUNT_MISMATCH"
    | parse "\"row\":*,\"gateway\":" as ReconRowData nodrop
    | parse "\"AMOUNT_MISMATCH\",\"message\":\"*\"," as Message nodrop
    | parse "\"gateway\":\"*\"}" as gateway nodrop
    | count by Time, context.info_code, ReconRawData, Message, gateway
    | fields Time, context.info_code, ReconRawData, Message, gateway

    Thanks,
    Nick
    Customer Success, Sumo Logic

  • Avatar
    Diarmuid Wrenne

    will the Fields command not do this?

Please sign in to leave a comment.