Alerting
Highlighted

Can i add what action needs to be taken for the alert that is fired by splunk?

Communicator

If I have a alert and I need to take particular action for that alert can I integrate the action that needs to be taken in the alert mail that we receive from splunk

Tags (3)
0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Contributor

You can follow this

0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Communicator

Hi sanjay thanks for the reply but my question is do we have anything in splunk that we can add with alert mail example :
I received an alert for high memory usage for app pool and Splunk sent alert for it that particular app pool is high memory usage
Can I add to that mail the below:
"Recycle app pool name to solve it"

0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Contributor

You should be able to change the email message for any alert.
check this if it helps

0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Communicator

I have added the line to savedsearch.conf but still its not working 😞

action.email.message = Recycle app pool

Any suggestion???

0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Ultra Champion

Another way is to create a lookup of "errors messages" and "resolution tasks"
and if you extract the error field from each search, you can do a lookup the end.
Then display the result as a table with columns.

Then on the alert, the resolution will be listed in the results.

example :
|_time | host | count | error | resolution |

0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Communicator

Thanks..That can work too ..Will give it a try ..

0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Influencer

The attribute you need to set in savedsearches.conf is:

action.email.message.report = This is the message you want in the email \
body and it \
can have multiple lines by doing \ 
this
0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Communicator

Giving this also a try..

0 Karma
Highlighted

Re: Can i add what action needs to be taken for the alert that is fired by splunk?

Communicator

I gave this a try but not getting the output , this is what i wrote:

action.email.message.report = Enable the job from task scheduler

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.