How do I include only specific fields (which are visible in query result) in the email alert


#1

Hi,

Currently when I raise email notification, all the available fields also get added in the attachment content. I don’t want this. I want to include only those column which are visible in the query result. How to do this.

Query which I am using:-

_fetch * from event where $Duration=1h group count_unique $URL limit 4
>>_lookup virustotal get_url_report $URL
>>_checkif int_compare $VTPositives > 1 include

And then select the required columns and send it over email.


#2

Hi @Jack,

For the query:

_fetch * from event where $Duration=1h group count_unique $URL limit 4
>>_lookup virustotal get_url_report $URL
>>_checkif int_compare $VTPositives > 1 include

I am afraid, you won’t be able to filter the columns of the above output, however, you can get the required values for particular fields sent over in an email by:

  1. Firstly, create an email template with required formating example, a table with your required fields as a column.
  2. Trigger a report to send the required values in your email.

For example:

Search for client side errors in web access events:

_fetch * from event where $Duration=1d AND $LogType=WEBSERVER AND $HTTPRetCode=4** group count_unique $HTTPRetCode,$SrcIP limit 10

Trigger a report for the same:

_trigger report extended_examples report_on_client_side_errors notify_emailtrainer@dnif.it

trigger a report with relevant values in datastack