https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278439#M12550 <P>For example, I want to accomplish this with only one alert saved search: to send email notification to admin_a if the search returns between 10 and 100 events within 5 mins (or when the search is ran), but to run some additional scripts or send email alert to admin_a and manager, if more than 100 events returned within 5 minutes.</P> Tue, 29 Sep 2020 07:36:21 GMT tsunamii 2020-09-29T07:36:21Z https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278439#M12550 <P>For example, I want to accomplish this with only one alert saved search: to send email notification to admin_a if the search returns between 10 and 100 events within 5 mins (or when the search is ran), but to run some additional scripts or send email alert to admin_a and manager, if more than 100 events returned within 5 minutes.</P> Tue, 29 Sep 2020 07:36:21 GMT https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278439#M12550 tsunamii 2020-09-29T07:36:21Z https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278440#M12551 <P>There are several things mixed up here, so I'll try to untangle.</P> <P>First I'll assume you have a search that returns some <CODE>count</CODE> field in an event, and you want to alert if <CODE>count &gt;= 10</CODE>. To do that, you can either add <CODE>| where count &gt;= 10</CODE> to your search and alert on "search returns an event", or add the <CODE>where count &gt;= 10</CODE> as the alert condition.<BR /> If you actually have the events returned from your search, you can instead set the alert condition to "alert if number of events is greater than" and enter your number.</P> <P>Second, you want to email different people depending on the count. Set your email recipient to <CODE>$result.recipient$</CODE> and add this to your search: <CODE>... | eval recipient = if (count &lt; 100, "admin_a@example.com", "admin_a@example.com,manager@example.com")</CODE><BR /> If you're actually returning events, add this instead: <CODE>... | eventstats count | eval if(...)</CODE></P> <P>Third, you want to run a script based on the count, but don't want a second alert. Run the script every time, and let the script abort if the <CODE>count</CODE> is below the threshold. If you can't modify your script then create a simple wrapper script to make this decision.</P> Mon, 12 Oct 2015 19:43:04 GMT https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278440#M12551 martin_mueller 2015-10-12T19:43:04Z https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278441#M12552 <P>This appears to work on splunk 6.3: </P> <P>"error" | stats count | eval recipient=case(count &gt; 3500, "<A href="mailto:recipient1@domain.com">recipient1@domain.com</A>", count &gt;= 500, "<A href="mailto:recipient2@domain.com">recipient2@domain.com</A>", 1==1, null()) | where isnotnull(recipient) </P> <P>AND in the to field you specify: <BR /> $result.recipient$ </P> <HR /> <P>So this says, </P> <P>if we have &gt; 3500 records then <BR /> send to recipient1 <BR /> else if you have &gt; 500 records <BR /> then send to recipient 2 <BR /> else <BR /> do not send any mail (sets recipient to null)</P> Thu, 14 Jan 2016 18:33:56 GMT https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278441#M12552 splunkIT 2016-01-14T18:33:56Z https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278442#M12553 <P>The latest doc has been updated with this information:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_notification_from_a_search_command">http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_notification_from_a_search_command</A></P> Fri, 19 Feb 2016 19:20:00 GMT https://community.splunk.com/t5/Alerting/Email-alerts-with-logics/m-p/278442#M12553 splunkIT 2016-02-19T19:20:00Z