I have several similar alerts and I would like to regroup them.
But each alerts has to send the email to particular person, how can I do that, and add some logic.
There is a way to do it.
You could group your alerts per category / host, and use a lookup to map those fields to a person to contact.
This make sense if your alert is a summary, not a list of every events.
example :
with a lookup like : alert_mapping.csv
host; email
A;mistera@email.com
B;misterb@email.com
C;misterc@email.com
and search like :
<mysearch> ERROR | stats count host
| LOOKUP alert_mapping.csv host OUTPUTS email
| fillnull email value=default@email.com
You will end up with results like :
host; count; email
A 30 mistera@email.![alt text][1]com
B 21 misterb@email.com
Z 10 default@email.com (we added a security to have a catchall email)
Then in the email alert :
- use the option : alert one per result (not per search)
- populate the field "TO:" with the token $result.email$
see the attached screenshot.
You can of course customize this to use something else than the host field.
You can also add more informations to the lookup, or use macros
and pass them to the email
by example to check host and component
host; component; owner ; email; action ; SLA; priority
A; network; frank ; f@email.com ; fix the network please ; 10min; P2
A; storage; frank ; f@email.com ; fix the storage please ; 30min; P2
B; storage; bill ; b@email.com ; this host need help ; 30min; P3
B; security; bill ; b@email.com ; security breach ; 30min; P1
etc...
You also can use other tokens to enrich your email.
see http://docs.splunk.com/Documentation/Splunk/local/Alert/Emailnotification
There is a way to do it.
You could group your alerts per category / host, and use a lookup to map those fields to a person to contact.
This make sense if your alert is a summary, not a list of every events.
example :
with a lookup like : alert_mapping.csv
host; email
A;mistera@email.com
B;misterb@email.com
C;misterc@email.com
and search like :
<mysearch> ERROR | stats count host
| LOOKUP alert_mapping.csv host OUTPUTS email
| fillnull email value=default@email.com
You will end up with results like :
host; count; email
A 30 mistera@email.![alt text][1]com
B 21 misterb@email.com
Z 10 default@email.com (we added a security to have a catchall email)
Then in the email alert :
- use the option : alert one per result (not per search)
- populate the field "TO:" with the token $result.email$
see the attached screenshot.
You can of course customize this to use something else than the host field.
You can also add more informations to the lookup, or use macros
and pass them to the email
by example to check host and component
host; component; owner ; email; action ; SLA; priority
A; network; frank ; f@email.com ; fix the network please ; 10min; P2
A; storage; frank ; f@email.com ; fix the storage please ; 30min; P2
B; storage; bill ; b@email.com ; this host need help ; 30min; P3
B; security; bill ; b@email.com ; security breach ; 30min; P1
etc...
You also can use other tokens to enrich your email.
see http://docs.splunk.com/Documentation/Splunk/local/Alert/Emailnotification
how fancy.