topic Re: Create dynamic alert link in Alerting

Create dynamic alert link

Poojitha — Thu, 04 Jan 2024 06:19:20 GMT

Hi all,

I have created an search which returns set of email address and few hosts and using table command to display that.

Result looks like below:

Hostname	Agent Version	Email
host1	1.0	test1@gmail.com
host2	2.0	test2@gmail.com
host3	2.0	test1@gmail.com
host4	2.0	test1@gmail.com

Now , I want to send separate emails to test1@gmail.com and test2@gmail.com. The email should only contain hosts belonging to them. i.e host1, host3, host4 and its agent version should go to test1@gmail.com and host2 should go to test2@gmail.com

I want to embed a link in the alert email body that redirects to search result and should contain hostnames that belong to particular recepient. Can anyone help me how to generate dynamic alert link ?

Regards,
PNV

Re: Create dynamic alert link

_JP — Thu, 04 Jan 2024 17:45:02 GMT

Based on your description it sounds like you're wanting something pretty custom for your environment. There's not quite this type of data-splitting, alerting, and re-display framework in Splunk.

First suggestion: check out Splunkbase for any add-on's having to do with alerting. Maybe one of these has a good-enough implementation for what you need. Here's the results of the keyword "alert" for all the apps out there:

https://splunkbase.splunk.com/apps?keyword=alert

From what I understand of your description, a big part of what you want is a meaningful display of information to the person handling the alert. One way to solve is to create a Splunk dashboard that expects inputs via the URL - just like the ?keyword=alert in the above URL. When you include values like that in the URL for a dashboard you can access those as tokens (within your SimpleXML, for example).

A lot of times there is the SPL that goes into triggering an alert, and those results have a lot of "plumbing" data in them that helped trigger the alert. So that result set isn't very actionable by the responder. This is why you would create a custom dashboard that expects token inputs (like a timeframe and hostname), and then it renders visualizations for that host in that timeframe that helps them troubleshoot in response to the email.

If you haven't already, install the Splunk Dashboard Examples app - it has a lot of good tips and tricks for creating dashboards.

Re: Create dynamic alert link

Poojitha — Fri, 05 Jan 2024 20:17:39 GMT

@_JP : Yes,proper display of information. Probably, it is pretty much custom requirement. After some research, now I am able to do that with sendemail command .

Example : If I have user test1 and test2 . Hosts that belong to test1 are sent to test1@gmail.com user and hosts that belong to test2 user are sent to test2@gmail.com. CSV file is getting sent.

But now the problem is subject and emailbody are not getting displayed as I added. Its just showing Splunk Result 😞