How to set up an Email Report after Alert?

MScottFoley — Tue, 26 Jul 2022 20:51:24 GMT

I would like to have a report emailed to me a few minutes after an alert goes off. While the alert can include the results, it is based on something specific and will not have all the information I need. Let's say the alert is set up to catch too many host communication errors to a specific endpoint. Errors>100. Currently I either go to the alert and alter it to make a time chart to see any trends, or go to a specific dashboard that shows communication errors with other endpoints, network status, response times, etc. When the problem goes away I take all the Splunk graphs and make an incident report.

I would like to have a report with graphs and other info based on the dashboard emailed to me at the time of the alert and 10 minutes after. Sometimes I can get to my email, but not to Splunk. This would also help with the incident report and make them more uniform.

Is this possible? I have not worked with reports much. Can a report be triggered by a separate search? I could not find that answer online so I believe it can't. I could write a query that looks at the last time an alert went off and have that trigger the associated report if possible. I would like some type of PDF that I can just attach to the incident report. More importantly I would like to have much more detail emailed to me after an alert. I'm not even sure what an emailed report looks like. I could google that, but If I can't trigger it there is no need for the report. Although in reading about reports I want to use them more with dashboards.

Thanks

topic How to set up an Email Report after Alert? in Getting Data In

How to set up an Email Report after Alert?