group results to be emailed to appropriate support team based on server

splunkhan — Wed, 30 Sep 2020 00:30:21 GMT

I'm looking to search for multiple errors and exceptions across application logs for across multiple servers.

using a host_email.csv lookup table containing:
host, email_address

How can group these by error/exception type per server send email to corresponding team based on server. I would like to include in my email alert the alert message, server, and count. My search is not working:

| lookup host_email.csv
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address

Re: group results to be emailed to appropriate support team based on server

MuS — Tue, 14 May 2019 06:03:31 GMT

Hi splunkhan,

untested and just making this up, but something like this should work:

| lookup host_email.csv 
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address
| map maxsearches=0 search="stats count 
| fields - count 
| sendemail from=buttercup@splunk.com to=$action.email$ subject=$alert.subject$ message=$alert.message$ sendresults=true"

You might need to modify to work correct, and read about the sendemail command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail and the map command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Hope this helps ...

cheers, MuS

topic group results to be emailed to appropriate support team based on server in Splunk Search

group results to be emailed to appropriate support team based on server

Re: group results to be emailed to appropriate support team based on server