topic Re: eval shown in my email? in Splunk Search

eval shown in my email?

dave0970 — Tue, 29 Sep 2020 18:24:16 GMT

How do i get this search to send the following eval shown in my email? I am getting email now but no result found shown in the email body. Please help!!!

host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002 | table _time, host | eval alert_contact="SysEng" | eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."

Re: eval shown in my email?

strive — Sat, 10 Mar 2018 01:05:17 GMT

Does your search
host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002
yields at least one result always?

Re: eval shown in my email?

deepashri_123 — Sat, 10 Mar 2018 01:39:42 GMT

Hey dave0970,

Looks like your eval is not a condition but a message to the end user and you can add it in description whereas for alert to trigger you need condition to be satisfied.
Refer this doc below:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions

Let me know if this helps!!

Re: eval shown in my email?

dave0970 — Sat, 10 Mar 2018 03:19:05 GMT

This event search already happen. I just need to know what to put in the search so when the alert comes in email it will shown contact syseng and description what to do. Now it said result not found in the body. The time it happen was 3/7/18.

Re: eval shown in my email?

dave0970 — Sat, 10 Mar 2018 17:20:48 GMT

Here is the e-mail body when the alert triggered. The eval instruction suppose to show on right below view result in splunk. but i don't see it.

=========================
Subject: Splunk Alert: PVO - API Error: PV API Key
Importance: High

There were 0 result(s).
The alert took 66618.237 seconds to run.
Alert: PVO - API Error: PV API Key

View results in Splunk

Re: eval shown in my email?

dave0970 — Sat, 10 Mar 2018 17:58:55 GMT

Hi deepashri, here is the email body, it does not show the "eval" instruction to call syseng and description for the NOC. instead it just shown "No results found" . I believe i am missing something in my search strings. Any ideas will help a lot.

Subject: Splunk Alert: PVO - API Error: PV API Key
Importance: High

There were 0 result(s).
The alert took 68633.408 seconds to run.
Alert: PVO - API Error: PV API Key

View results in Splunk
No results found.

Re: eval shown in my email?

dave0970 — Sat, 10 Mar 2018 18:00:45 GMT

oppps sorry for the large font. Don't know why

Re: eval shown in my email?

richgalloway — Sat, 10 Mar 2018 20:02:48 GMT

The line of equal signs did it. I changed them to a horizontal rule.

Re: eval shown in my email?

dave0970 — Tue, 29 Sep 2020 18:24:24 GMT

Hi Rich,

do you mind explain little bit more about your comment? or, perhaps edit my search?

Re: eval shown in my email?

valiquet — Sun, 11 Mar 2018 07:26:20 GMT

Configure your saved search to only send email if number of results is > 1

| makeresults
| eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."
| append [ search host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002 
                   | table _time, host 
                   | eval alert_contact="SysEng" ]

Re: eval shown in my email?

dave0970 — Sun, 11 Mar 2018 16:32:36 GMT

valiquet- Thank you very much. I will give this search a test and update the same.

Re: eval shown in my email?

dave0970 — Sun, 11 Mar 2018 19:20:45 GMT

Hi valiquet- Does this search required a match alert to happen for us to see the eval in the e-mail body? I set up is equal to 0 to test for now to see if this work.