Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create dynamic alert link

Poojitha
Path Finder
‎01-03-2024 10:19 PM

Hi all,

I have created an search which returns set of email address and few hosts and using table command to display that.

Result looks like below:

HostnameAgent VersionEmail
host11.0test1@gmail.com
host22.0test2@gmail.com
host32.0test1@gmail.com
host42.0test1@gmail.com

 
Now , I want to send separate emails to test1@gmail.com and test2@gmail.com. The email should only contain hosts belonging to them. i.e host1, host3, host4 and its agent version should go to test1@gmail.com and host2 should go to test2@gmail.com

I want to embed a link in the alert email body that redirects to search result and should contain hostnames that belong to particular recepient. Can anyone help me how to generate dynamic alert link ?

Regards,
PNV

Labels (2)
Labels
Tags (1)
0 Karma
Reply

Poojitha
Path Finder
‎01-05-2024 12:17 PM

@_JP : Yes,proper display of information. Probably, it is pretty much custom requirement. After some research, now I am able to do that with sendemail command .

< my initial search here>
| table hostname owner version 
| outputcsv test.csv
| stats values(owner) as email
| mvexpand email 
| eval subject="Test Alert" ,email_body= "This is test email body"
| map  search="|inputcsv test.csv | where owner=\"$email$\" |
 sendemail sendcsv=true to=\"$email$\" subject=\"$subject$\" message="\$email_body$\""

 Example : If I have user test1 and test2 . Hosts that belong to test1 are sent to test1@gmail.com user and hosts that belong to test2 user are sent to test2@gmail.com. CSV file is getting sent.

But now the problem is subject and emailbody are not getting displayed as I added. Its just showing Splunk Result 😞 

0 Karma
Reply

_JP
Contributor
‎01-04-2024 09:45 AM

Based on your description it sounds like you're wanting something pretty custom for your environment.  There's not quite this type of data-splitting, alerting, and re-display framework in Splunk.  

First suggestion: check out Splunkbase for any add-on's having to do with alerting.  Maybe one of these has a good-enough implementation for what you need.  Here's the results of the keyword "alert" for all the apps out there:

https://splunkbase.splunk.com/apps?keyword=alert

 

From what I understand of your description, a big part of what you want is a meaningful display of information to the person handling the alert.  One way to solve is to create a Splunk dashboard that expects inputs via the URL - just like the ?keyword=alert in the above URL.  When you include values like that in the URL for a dashboard you can access those as tokens (within your SimpleXML, for example).  

A lot of times there is the SPL that goes into triggering an alert, and those results have a lot of "plumbing" data in them that helped trigger the alert.  So that result set isn't very actionable by the responder.  This is why you would create a custom dashboard that expects token inputs (like a timeframe and hostname), and then it renders visualizations for that host in that timeframe that helps them troubleshoot in response to the email.

If you haven't already, install the Splunk Dashboard Examples app - it has a lot of good tips and tricks for creating dashboards.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top