Alerting

Can i add what action needs to be taken for the alert that is fired by splunk?

shreyasathavale
Communicator

If I have a alert and I need to take particular action for that alert can I integrate the action that needs to be taken in the alert mail that we receive from splunk

Tags (3)
0 Karma
1 Solution

lasnow
Explorer

You could also add a "resolution" field to your search:
| eval resolution="message for your email"

View solution in original post

0 Karma

lasnow
Explorer

You could also add a "resolution" field to your search:
| eval resolution="message for your email"

View solution in original post

0 Karma

shreyasathavale
Communicator

I added the eval resolution and got the output but what i required is if we get some message in the mail, it will be great!!!

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

The attribute you need to set in savedsearches.conf is:

action.email.message.report = This is the message you want in the email \
body and it \
can have multiple lines by doing \ 
this
0 Karma

shreyasathavale
Communicator

Giving this also a try..

0 Karma

shreyasathavale
Communicator

I gave this a try but not getting the output , this is what i wrote:

action.email.message.report = Enable the job from task scheduler

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

This will work, if
a) the attribute is specified in savedsearches.conf for the alerting search you want to modify
b) you make the manual change and restart splunk or reload the .conf files

I used the UI to specify the message and then looked at the resulting savedsearches.conf

0 Karma

yannK
Splunk Employee
Splunk Employee

Another way is to create a lookup of "errors messages" and "resolution tasks"
and if you extract the error field from each search, you can do a lookup the end.
Then display the result as a table with columns.

Then on the alert, the resolution will be listed in the results.

example :
|_time | host | count | error | resolution |

0 Karma

shreyasathavale
Communicator

Thanks..That can work too ..Will give it a try ..

0 Karma

sanjay_shrestha
Contributor

You can follow this

0 Karma

shreyasathavale
Communicator

Hi sanjay thanks for the reply but my question is do we have anything in splunk that we can add with alert mail example :
I received an alert for high memory usage for app pool and Splunk sent alert for it that particular app pool is high memory usage
Can I add to that mail the below:
"Recycle app pool name to solve it"

0 Karma

sanjay_shrestha
Contributor

You should be able to change the email message for any alert.
check this if it helps

0 Karma

shreyasathavale
Communicator

I have added the line to savedsearch.conf but still its not working 😞

action.email.message = Recycle app pool

Any suggestion???

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!