Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a list (table) to the email body from a scheduled search alert.

smithjnick
Path Finder
‎06-17-2014 07:28 AM

Hi All

I have a basic alert setup to trigger whenever i have 3 or more failed sql logins - as follows:

       sourcetype="WinEventLog:Application "EventCode=18456" | stats count by sql_login_name
       | search count > 2

An email is then sent out alerting the db admins about the event.

I have played around with the new alert config using the token feature in order to draw in other variables related to the issues but to no avail.

is it possible to drop the results of the following stats command into the email body or is there another approach i could use? The end game is to have a table pushed out inside the email listing the criteria below as well as the triggered event. 

       | stats list(sql_login_name) by SourceName, login_source host

cheers

Reply
1 Solution
Solved! Jump to solution
Solution

smithjnick
Path Finder
‎06-19-2014 03:54 AM

I have figured this out by utilising the command: "stats count, list....." whereas previously i had "stats count" followed by a pipe to "stats list".

Just out of interest - i am trying to get my head around the difference between Table and List and best practice on usage. Both appear to have a similar output?

View solution in original post

Reply
Solved! Jump to solution

splunker12er
Motivator
‎06-20-2014 06:03 AM

You might need to edit the sendemail.py file under your app/bin directory to accommodate your search results.

using stats command in the savedsearch for alerting sometimes will ignore the results...

search for the below stanza in your sendemail.py file... and modify this file..

def generateHTMLResults(results):
0 Karma
Reply
Solved! Jump to solution
Solution

smithjnick
Path Finder
‎06-19-2014 03:54 AM

I have figured this out by utilising the command: "stats count, list....." whereas previously i had "stats count" followed by a pipe to "stats list".

Just out of interest - i am trying to get my head around the difference between Table and List and best practice on usage. Both appear to have a similar output?

Reply
Solved! Jump to solution

smithjnick
Path Finder
‎06-20-2014 05:51 AM

Righto ppablo - i dont yet fully understand Splunk answers etiquette.

Reply
Solved! Jump to solution

ppablo
Retired
‎06-19-2014 11:44 AM

Hi @smithjnick

Please be sure to accept your answer so others with similar issues/questions will be more likely to refer to this post for help. Thanks!

Patrick

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-17-2014 11:10 AM

Have something like this in your savedsearches.conf to send the results inline in the email.

[YourSavedSearchName]
action.email = 1
action.email.to =  Your@email.list
action.email.cc =  Your@email.list
action.email.subject = YourSubject
action.email.format = html
action.email.sendresults = 1
action.email.inline = 1
action.email.ttl = 10
...Other properties
....
....
0 Karma
Reply
Solved! Jump to solution

smithjnick
Path Finder
‎06-19-2014 03:49 AM

Thanks for the response somesoni2 but i already figured that piece out. My query was in relation to how the list was presneted within the email.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...