Alerting

Can I setup an smart email alert that picks the destination email from dynamically

mataharry
Communicator

I have several similar alerts and I would like to regroup them.
But each alerts has to send the email to particular person, how can I do that, and add some logic.

Tags (1)
1 Solution

yannK
Splunk Employee
Splunk Employee

There is a way to do it.
You could group your alerts per category / host, and use a lookup to map those fields to a person to contact.
This make sense if your alert is a summary, not a list of every events.

example :

with a lookup like : alert_mapping.csv

host; email 
A;mistera@email.com 
B;misterb@email.com 
C;misterc@email.com 

and search like :

<mysearch> ERROR | stats count host 
 | LOOKUP alert_mapping.csv host OUTPUTS email 
 | fillnull email value=default@email.com 

You will end up with results like :

host; count; email 
A 30 mistera@email.![alt text][1]com
B 21 misterb@email.com
Z 10 default@email.com (we added a security to have a catchall email) 

Then in the email alert :
- use the option : alert one per result (not per search)
- populate the field "TO:" with the token $result.email$

see the attached screenshot.

You can of course customize this to use something else than the host field.
You can also add more informations to the lookup, or use macros
and pass them to the email

by example to check host and component

host; component; owner ; email; action ; SLA; priority 
A; network; frank ; f@email.com ; fix the network please ; 10min; P2 
A; storage; frank ; f@email.com ; fix the storage please ; 30min; P2 
B; storage; bill ; b@email.com ; this host need help ; 30min; P3 
B; security; bill ; b@email.com ; security breach ; 30min; P1 
etc... 

You also can use other tokens to enrich your email.
see http://docs.splunk.com/Documentation/Splunk/local/Alert/Emailnotification

View solution in original post

yannK
Splunk Employee
Splunk Employee

There is a way to do it.
You could group your alerts per category / host, and use a lookup to map those fields to a person to contact.
This make sense if your alert is a summary, not a list of every events.

example :

with a lookup like : alert_mapping.csv

host; email 
A;mistera@email.com 
B;misterb@email.com 
C;misterc@email.com 

and search like :

<mysearch> ERROR | stats count host 
 | LOOKUP alert_mapping.csv host OUTPUTS email 
 | fillnull email value=default@email.com 

You will end up with results like :

host; count; email 
A 30 mistera@email.![alt text][1]com
B 21 misterb@email.com
Z 10 default@email.com (we added a security to have a catchall email) 

Then in the email alert :
- use the option : alert one per result (not per search)
- populate the field "TO:" with the token $result.email$

see the attached screenshot.

You can of course customize this to use something else than the host field.
You can also add more informations to the lookup, or use macros
and pass them to the email

by example to check host and component

host; component; owner ; email; action ; SLA; priority 
A; network; frank ; f@email.com ; fix the network please ; 10min; P2 
A; storage; frank ; f@email.com ; fix the storage please ; 30min; P2 
B; storage; bill ; b@email.com ; this host need help ; 30min; P3 
B; security; bill ; b@email.com ; security breach ; 30min; P1 
etc... 

You also can use other tokens to enrich your email.
see http://docs.splunk.com/Documentation/Splunk/local/Alert/Emailnotification

mataharry
Communicator

how fancy.

0 Karma