How do I include only specific fields (which are visible in query result) in the email alert attachment.
Hi,
Currently when I schedule the alert, all the available hidden fields also get added in the attachment content. I don't want this. I want to include only those column which are visible in the query result. How to do this.
My sumologic query :
RECON_INFO_ALERT
AND _sourcename = "api"
| json auto nodrop
| where %"context.info_code" = "AMOUNT_MISMATCH"
| parse "\"row\":*,\"gateway\":" as ReconRowData nodrop
| parse "\"AMOUNT_MISMATCH\",\"message\":\"*\"," as Message nodrop
| parse "\"gateway\":\"*\"}" as gateway nodrop
I am only interested in Time, context.info_code, ReconRawData, Message, gateway
Thanks.
-
Official comment
That's correct - "fields" should handle this:
RECON_INFO_ALERT
AND _sourcename = "api"
| json auto nodrop
| where %"context.info_code" = "AMOUNT_MISMATCH"
| parse "\"row\":*,\"gateway\":" as ReconRowData nodrop
| parse "\"AMOUNT_MISMATCH\",\"message\":\"*\"," as Message nodrop
| parse "\"gateway\":\"*\"}" as gateway nodrop
| fields Time, context.info_code, ReconRawData, Message, gatewayIf for some reason that doesn't work, you used to have to aggregate to get it to work (but I don't think that's still the case):
RECON_INFO_ALERT
AND _sourcename = "api"
| json auto nodrop
| where %"context.info_code" = "AMOUNT_MISMATCH"
| parse "\"row\":*,\"gateway\":" as ReconRowData nodrop
| parse "\"AMOUNT_MISMATCH\",\"message\":\"*\"," as Message nodrop
| parse "\"gateway\":\"*\"}" as gateway nodrop
| count by Time, context.info_code, ReconRawData, Message, gateway
| fields Time, context.info_code, ReconRawData, Message, gatewayThanks,
Nick
Customer Success, Sumo LogicComment actions
Please sign in to leave a comment.
Comments
2 comments