topic Re: Alert Sending Email based on a if condition in Reporting

Alert Sending Email based on a if condition

hiteshkanchan — Fri, 25 May 2012 12:02:39 GMT

I need to send an Email based on a if condition. Something like "if (value > 10) send an email". But I am not able to figure out how to do this.

I am trying this with eval. But this only assigns the value to a variable(LoginQuality).

"eval LoginQuality= if (AverageLoginTime >10, "More", "Less")".

I need to make change/modify this statement to send an email depending on the condition.

Can someone help me with this?

Re: Alert Sending Email based on a if condition

fk319 — Fri, 25 May 2012 12:55:59 GMT

Under Manager/Searches and Reports you can schedule your e-mails. This is a feature that veries quite a bit between version. The later versions have better control over this.

Re: Alert Sending Email based on a if condition

hiteshkanchan — Sun, 27 May 2012 18:58:39 GMT

I want to do this either from the search command or from a python script.

From the search query/command, I get the AverageLoginTime value and based on this value I need to send the mail.

So I am looking for some command like "if (AvearageLoginTime > 10) send an email"

Re: Alert Sending Email based on a if condition

hiteshkanchan — Mon, 28 May 2012 11:18:41 GMT

If sending mail based on condition like "if (AvearageLoginTime > 10) send an email" is not possible, then I tried using Manager/Searches and Reports.
But it does not seem to send any mails. Any idea if I need to do any configuration.

Re: Alert Sending Email based on a if condition

fk319 — Tue, 29 May 2012 11:43:04 GMT

there is a sendmail command,
| eval send = if(AverageLoginTime>10,true,false)
| search send=true
| sendmail {arg list}
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Sendemail

Re: Alert Sending Email based on a if condition

hiteshkanchan — Tue, 29 May 2012 12:34:40 GMT

Yes right, I am doing the same thing and getting some error like
command="sendemail", [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond while sending mail to: "username@mail.com"

Re: Alert Sending Email based on a if condition

fk319 — Tue, 29 May 2012 13:02:07 GMT

I have not personaly done this, but an other has on our system. I would expect that sendmail [on a unix system] must be accepting request, well at leat on 127.0.0.1

Re: Alert Sending Email based on a if condition

dwaddle — Tue, 29 May 2012 14:01:40 GMT

If I understand your goal here, it's possible that an "advanced conditional alert" will suit your needs. Check out http://docs.splunk.com/Documentation/Splunk/4.2.3/User/SchedulingSavedSearches and search for the section "Define an advanced conditional alert".

I think that using a conditional alert of the form

search LoginQuality > 10

should get you close to what you want...

Re: Alert Sending Email based on a if condition

hiteshkanchan — Wed, 30 May 2012 11:08:48 GMT

Yes I am trying the same, but currently I am getting some error. "command="sendemail", [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: hitesh@domain.com"".

Looks like some configuration issue. Kindly let me know if anyone has resolved this issue

Re: Alert Sending Email based on a if condition

hiteshkanchan — Wed, 30 May 2012 11:38:39 GMT

I am trying this command --> sendemail to="user@domain.com" sendresults=true server="proxy.com:8080" and it gives the error like -->
"command="sendemail", Connection unexpectedly closed while sending mail to: user@domain.com"

Re: Alert Sending Email based on a if condition

dwaddle — Fri, 08 Jun 2012 04:11:42 GMT

You need to configure Splunk with a proper connection to a valid SMTP server. I doubt that proxy.com:8080 is a valid SMTP server. You need to make sure your basic SMTP connection is working before trying to move on to conditional alerts and stuff.

Re: Alert Sending Email based on a if condition

romantercero — Mon, 28 Sep 2020 12:24:15 GMT

You can do this with a sub search. Check this out:

Re: Alert Sending Email based on a if condition

romantercero — Fri, 07 Sep 2012 18:01:19 GMT

The gist of this is to include an if statement and place a sub search on the true or false clause of the if. The sub search uses the sendmail command to send you the results.