Hi sanjay thanks for the reply but my question is do we have anything in splunk that we can add with alert mail example :
I received an alert for high memory usage for app pool and Splunk sent alert for it that particular app pool is high memory usage
Can I add to that mail the below:
"Recycle app pool name to solve it"
I have added the line to savedsearch.conf but still its not working 😞
action.email.message = Recycle app pool
Another way is to create a lookup of "errors messages" and "resolution tasks"
and if you extract the error field from each search, you can do a lookup the end.
Then display the result as a table with columns.
Then on the alert, the resolution will be listed in the results.
|_time | host | count | error | resolution |
The attribute you need to set in savedsearches.conf is:
action.email.message.report = This is the message you want in the email \ body and it \ can have multiple lines by doing \ this
I gave this a try but not getting the output , this is what i wrote:
action.email.message.report = Enable the job from task scheduler