topic Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field? in Alerting

How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

Roopaul — Fri, 04 Sep 2015 22:45:13 GMT

I created a search which displays below results:

Server   component   Proxy   Count
   A        AB        ABC      2
   A        AB        ABD      4
   A        AC        ABC      2

I need to send an email for each component i.e.
Email 1:

Server   component   Proxy   Count
   A        AB        ABC      2
   B        AB        ABD      4

Email 2:

Server   component   Proxy   Count
   A        AC        ABC      2

Can someone help?

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

frobinson_splun — Fri, 04 Sep 2015 23:09:11 GMT

Hi @Roopaul,
I'm a tech writer here at Splunk and I work on alerting documentation. I am looking into this and will post some documentation resources that should help. I'll report back shortly!
All best,
@frobinson_splunk

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

Roopaul — Fri, 04 Sep 2015 23:16:47 GMT

Great. That will be really helpful. Looking forward to it.

Do you have any high level date on when this will be available as i am working on an urgent requirement.

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

frobinson_splun — Fri, 04 Sep 2015 23:26:25 GMT

Hi @Roopaul,
Here is what I would suggest:
1) Set up scheduled reports that run this query for each component (not sure how many components you anticipate)
2) Set up an email action for those reports so that you get emails when the scheduled report is done. You can include information from the search results in the alert emails.

Here is some documentation on using scheduled reports:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Schedulereports

Hope this helps! Let me know if not and we can continue discussing.

All best,
@frobinson_splunk

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

justinatpnnl — Sat, 05 Sep 2015 21:18:50 GMT

Do you need to send to different email addresses based on the component? Or just fire separate emails but all to the same address?

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

Roopaul — Tue, 08 Sep 2015 17:34:25 GMT

@frobinson_splunk
I am doing scheduled reports for this alert. But my requirement is I want to send an email based on the output of the query (see my example above).

@justinatpnnl - The recipents are going to be the same. the email content will vary based on the output as i mentioned above.

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

justinatpnnl — Tue, 08 Sep 2015 18:19:51 GMT

What if you tried something like this:

| stats list(Server) as Server, list(Proxy) as Proxy, list(Count) as Count by Component

That would give you something like this as a result, where each component has its own row (this may not display correctly below, but hopefully you get the idea):

Component   Server  Proxy   Count
AB         A         ABC      2
             B       ABD      4
AC         A         ABC      2

Now you can save this as an alert and fire "For each result". Would that work for you?

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

Roopaul — Tue, 08 Sep 2015 18:25:03 GMT

@justinatpnnl

this is great. Yes this will defintely work for me. I was unaware of "list" argument and was using "values". Thanks a lot!!

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

jamestoan — Mon, 21 Sep 2015 18:58:47 GMT

For this described method, how do I make each multivalued field show up on a new line instead of bunched together on one line in an email alert with an Inline Table?

For example, I want the table in the email to show up like the table described in the answer. However, in my emails, I'm getting a table with "A" and "B" showing up as "A B" on one line instead of a separate row for server "B".

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

Roopaul — Mon, 21 Sep 2015 19:42:21 GMT

Yes, we also faced the same issue and it looks like a limitation with splunk. In the email the field size is determined as per the width of the column heading. So what we did is we manipulated the column width by adding spaces to the column name (it should be higher than the result's highest length):
For eg.
|eval server= server." "|

Hope this helps.

Re: How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

miguel1423 — Fri, 11 Feb 2022 10:16:03 GMT

Hello,

I'm looking for the same use case, have you find an solution for that ?

Regards,