Create a email alert

Server Setup

Create a alert

Resources

Splunk | Steps to create an alert in splunk - Support and Troubleshooting - Now Support Portal

Troubleshooting

How to setup email alerts results

You can display Basic values you can put in the Subject or Body

Example:

$name$ // Gives you the name of the alert, ex. "Sign in out of US"

Custom values

The best way i found it to work is make the result query return a table. Splunk will look at the first entry to pull the values from.(ex..if you are returning multi rows it will only read the first for values)

| table _time, "User", "Client IP", City, Country

In the email you would access the values by

Email: $result.User$
IP: $result.Client IP$
City: $result.City$
Country: $result.Country$