Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Email Alert

zacksoft
Contributor
‎02-08-2018 05:31 AM

I am setting up an alert for the first time.
My query ends with,
| table host,error
where "host" is host1, host2, host3 etc.. AND "error" is severe, critical, minor ..etc and blank rows as well.
Help is needed in the following two things.
I want my alert email to trigger only when,

1. Host has some corresponding 'error' value .(Don't trigger when 'error' is NULL)

2. The email header should contain Host name and the corresponding 'error' message.

   example-  "Host2 -Minor"
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎02-08-2018 05:42 AM

Hi @zacksoft,
Can you please try this
1. Host has some corresponding 'error' value .(Don't trigger when 'error' is NULL)

Can we add filter in your search?
like 

YOUR_SEARCH | search error!=NULL  | table host,error

  1. The email header should contain Host name and the corresponding 'error' message.
    add below line your alert in savedsearch.conf file:

    [my_alert]
    action.email.subject.alert = $result.host$ - $result.error$

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-08-2018 05:58 AM

Hi @zacksoft,
you can try to search for error containing value instead of !=null value

<base_search>|search error=*|table host,error

set alert if result count>0
and you can set alert message as suggested by @kamlesh_vaghela

[my_alert] action.email.subject.alert = $result.host$ - $result.error$

it can be done via UI in Settings>>Searches, reports, and alerts and its stanza will get stored in ...<app_name>/local/savedsearches.conf

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎02-08-2018 05:42 AM

Hi @zacksoft,
Can you please try this
1. Host has some corresponding 'error' value .(Don't trigger when 'error' is NULL)

Can we add filter in your search?
like 

YOUR_SEARCH | search error!=NULL  | table host,error

  1. The email header should contain Host name and the corresponding 'error' message.
    add below line your alert in savedsearch.conf file:

    [my_alert]
    action.email.subject.alert = $result.host$ - $result.error$

Thanks

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎02-08-2018 05:47 AM

where can I find savedsearch.conf file ? I usually click on 'edit alert' option and set things in there !!!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-08-2018 05:51 AM

in Settings>>Searches, reports, and alerts you can create alert

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎02-08-2018 05:50 AM

Please check below path.

SPLUNK_HOME/etc/apps/My_APP/local/savedsearches.conf

SPLUNK_HOME/etc/users/USER_NAME/My_APP/local/savedsearches.conf
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎02-08-2018 06:16 AM

The Query's output sort of gives result like
Host1 - minor
Host1- minor
Host1 - minor
Host1 - critical

I am getting multiple alerts for 'minor' type. I cannot reduce the cron frequency becasue I don't wanna miss the 'critical' errros. Can we may be only select the 'distinct values' of error or suppress if the same error is repeating ....

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-08-2018 06:23 AM

Use |dedup error

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...