Alerting

Best way 's or Tools to use on call schedule Alerts in Splunk?

Manoj_g
New Member
  • I have some alerts that needs to be notified to the certain people like who are in the on-call for that week . So which is the best way to use the rotation Method?
  • Any kind to Suggestion is Appreciated.
Tags (2)
0 Karma

tpeveler_splunk
Splunk Employee
Splunk Employee

Manoj_g,

Check out Alert Manager on Splunkbase -> Alert Manager

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Manoj_g,

one example would be a lookup table that holds information like days, week numbers, and the related email address that should receive the alert. Use that lookup in your search and you should be able to get what you want.

Hope this makes sense ...

cheers, MuS

0 Karma

Manoj_g
New Member

I have a search with
"index=_internal sourcetype=scheduler savedsearch_id= * status= skipped | stats count by reason"

And in my lookup file:
temp.csv:
Days email
mon 123@splunk.com
Tue 456@splunk.com
Wed 789@splunk.com
Thu 123@splunk.com
Fri 456@splunk.com
Sat 789@splunk.com
sun 000@splunk.com
Please can you help me with the search where I can send daily by rotation process

0 Karma

niketn
Legend

Following is an example (untested but you should find working examples on Splunk Answers) of using map command to get email from lookup based on current day and pass on the to the sendmail command.

| inputlookup test.csv where [| makeresults
| fields - _time
| eval Days=strftime(now(),"%a")
| table Days]
| table email
| map search="index=_internal sourcetype=scheduler savedsearch_id= status= skipped | stats count by reason| sendemail to=\"$email$\""

Refer to answer from @woodcock for using map command for sending email with context : https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...