https://community.splunk.com/t5/Alerting/How-to-send-e-mail-alert-that-contains-a-variable/m-p/547159#M10400 <P>Hi Team,</P><P>&nbsp; Given a set of logs like below:</P><P>Mar 2 12:56:34 10.1.2.3 router-01: 2021 Mar 2 12:56:34.628 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 12:52:30 10.1.2.3 router-01: 2021 Mar 2 12:52:30.562 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 11:13:59 10.1.2.3 router-01: 2021 Mar 2 11:13:59.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 11:13:55 10.1.2.3 router-01: 2021 Mar 2 11:13:55.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 10:52:29 10.1.2.3 router-01: 2021 Mar 2 10:52:29.848 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 10:52:25 10.1.2.3 router-01: 2021 Mar 2 10:52:25.850 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 10:26:04 10.1.2.3 router-01: 2021 Mar 2 10:26:04.843 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 10:26:00 10.1.2.3 router-01: 2021 Mar 2 10:26:00.838 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 10:09:19 10.1.2.3 router-01: 2021 Mar 2 10:09:19.918 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout</P><P>with our setup for the above as:&nbsp;</P><P>index=syslog&nbsp; sourcetype=Cisco AND "IP SLA:"</P><P>I am trying to send an e-mail alert that will send only the LAST event for "Threshold Cleared" and more importantly, a variable that computes (time delta) from the last "Occurred" to the last "Cleared" event, in this case 244 seconds (12:56:34 - 12:52:30).</P><P>I have some knowledge of subsearches but only as part of another inline search and can't get my head on how to assign the result as a "variable" and then subsequently include that variable in an e-mail alert.</P><P>Basically the email alert I want to construct is:</P><P>"Latest IP SLA threshold has cleared at 12:56:34 PM.&nbsp; &nbsp;Event duration was 244 seconds"</P><P>Any suggestions on the syntax will be much appreciated.</P><P>Thanks.</P><P>&nbsp;</P> Thu, 08 Apr 2021 07:17:48 GMT rleyba828 2021-04-08T07:17:48Z https://community.splunk.com/t5/Alerting/How-to-send-e-mail-alert-that-contains-a-variable/m-p/547159#M10400 <P>Hi Team,</P><P>&nbsp; Given a set of logs like below:</P><P>Mar 2 12:56:34 10.1.2.3 router-01: 2021 Mar 2 12:56:34.628 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 12:52:30 10.1.2.3 router-01: 2021 Mar 2 12:52:30.562 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 11:13:59 10.1.2.3 router-01: 2021 Mar 2 11:13:59.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 11:13:55 10.1.2.3 router-01: 2021 Mar 2 11:13:55.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 10:52:29 10.1.2.3 router-01: 2021 Mar 2 10:52:29.848 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 10:52:25 10.1.2.3 router-01: 2021 Mar 2 10:52:25.850 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 10:26:04 10.1.2.3 router-01: 2021 Mar 2 10:26:04.843 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout<BR />Mar 2 10:26:00 10.1.2.3 router-01: 2021 Mar 2 10:26:00.838 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout<BR />Mar 2 10:09:19 10.1.2.3 router-01: 2021 Mar 2 10:09:19.918 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout</P><P>with our setup for the above as:&nbsp;</P><P>index=syslog&nbsp; sourcetype=Cisco AND "IP SLA:"</P><P>I am trying to send an e-mail alert that will send only the LAST event for "Threshold Cleared" and more importantly, a variable that computes (time delta) from the last "Occurred" to the last "Cleared" event, in this case 244 seconds (12:56:34 - 12:52:30).</P><P>I have some knowledge of subsearches but only as part of another inline search and can't get my head on how to assign the result as a "variable" and then subsequently include that variable in an e-mail alert.</P><P>Basically the email alert I want to construct is:</P><P>"Latest IP SLA threshold has cleared at 12:56:34 PM.&nbsp; &nbsp;Event duration was 244 seconds"</P><P>Any suggestions on the syntax will be much appreciated.</P><P>Thanks.</P><P>&nbsp;</P> Thu, 08 Apr 2021 07:17:48 GMT https://community.splunk.com/t5/Alerting/How-to-send-e-mail-alert-that-contains-a-variable/m-p/547159#M10400 rleyba828 2021-04-08T07:17:48Z https://community.splunk.com/t5/Alerting/How-to-send-e-mail-alert-that-contains-a-variable/m-p/547166#M10401 <P>See this example search with your data</P><LI-CODE lang="markup">| makeresults | eval _raw="Mar 2 12:56:34 10.1.2.3 router-01: 2021 Mar 2 12:56:34.628 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 12:52:30 10.1.2.3 router-01: 2021 Mar 2 12:52:30.562 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 11:13:59 10.1.2.3 router-01: 2021 Mar 2 11:13:59.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 11:13:55 10.1.2.3 router-01: 2021 Mar 2 11:13:55.912 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 10:52:29 10.1.2.3 router-01: 2021 Mar 2 10:52:29.848 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 10:52:25 10.1.2.3 router-01: 2021 Mar 2 10:52:25.850 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 10:26:04 10.1.2.3 router-01: 2021 Mar 2 10:26:04.843 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout Mar 2 10:26:00 10.1.2.3 router-01: 2021 Mar 2 10:26:00.838 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Occurred for timeout Mar 2 10:09:19 10.1.2.3 router-01: 2021 Mar 2 10:09:19.918 AEST: %SLA_SENDER-3-IPSLATHRESHOLD: IP SLA: Threshold Cleared for timeout" | multikv noheader=t | rex field=_raw ".*router-01: (?&lt;date&gt;\d+ \w{3} \d+ \d+:\d+:\d+\.\d+)" | eval _time=strptime(date, "%Y %b %d %H:%M:%S") | table _time _raw | rex field=_raw ".*(?&lt;state&gt;Cleared|Occurred)" | streamstats range(_time) as duration latest(eval(if(state="Cleared", _time, null))) as latest reset_before="("state==\"Cleared\"")" | where !isnull(latest) AND state="Occurred" | head 1 | eval l=strftime(latest, "%l:%M:%S %p") | eval message="Latest IP SLA threshold has cleared at ".l.". Event duration was ".round(duration)." seconds" | table message</LI-CODE><P>I've assumed that it's just a stream of on/off events, but you may need to modify the search as needed. In practice you only need the most recent 3 events as they should contain either&nbsp;</P><P>cleared, occurred, cleared&nbsp;</P><P>or&nbsp;</P><P>occurred,cleared, occurred</P><P>so you could do a head 3 at the start.</P><P>but basically the streamstats is your tool.</P><P>Hope this helps</P><P>&nbsp;</P> Thu, 08 Apr 2021 08:50:01 GMT https://community.splunk.com/t5/Alerting/How-to-send-e-mail-alert-that-contains-a-variable/m-p/547166#M10401 bowesmana 2021-04-08T08:50:01Z https://community.splunk.com/t5/Alerting/How-to-send-e-mail-alert-that-contains-a-variable/m-p/547281#M10406 <P>HI bowesmana,<BR /><BR />&nbsp; Many thanks for this....I'll adapt your query string a bit to see if fits some other variations of how the logs arrive, but essentially, it is the structure/combination of SPL commands that you provided that should make it work.&nbsp; &nbsp;<BR /><BR />Thanks again.</P> Thu, 08 Apr 2021 23:09:47 GMT https://community.splunk.com/t5/Alerting/How-to-send-e-mail-alert-that-contains-a-variable/m-p/547281#M10406 rleyba828 2021-04-08T23:09:47Z