Alerting

Email Alert

zacksoft
Contributor

I am setting up an alert for the first time.
My query ends with,
| table host,error
where "host" is host1, host2, host3 etc.. AND "error" is severe, critical, minor ..etc and blank rows as well.
Help is needed in the following two things.
I want my alert email to trigger only when,

1. Host has some corresponding 'error' value .(Don't trigger when 'error' is NULL)

2. The email header should contain Host name and the corresponding 'error' message.

   example-  "Host2 -Minor"
Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @zacksoft,
Can you please try this
1. Host has some corresponding 'error' value .(Don't trigger when 'error' is NULL)

Can we add filter in your search?
like

YOUR_SEARCH | search error!=NULL  | table host,error
  1. The email header should contain Host name and the corresponding 'error' message.
    add below line your alert in savedsearch.conf file:

    [my_alert]
    action.email.subject.alert = $result.host$ - $result.error$

Thanks

View solution in original post

0 Karma

493669
Super Champion

Hi @zacksoft,
you can try to search for error containing value instead of !=null value

<base_search>|search error=*|table host,error

set alert if result count>0
and you can set alert message as suggested by @kamlesh_vaghela

[my_alert] action.email.subject.alert = $result.host$ - $result.error$

it can be done via UI in Settings>>Searches, reports, and alerts and its stanza will get stored in ...<app_name>/local/savedsearches.conf

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @zacksoft,
Can you please try this
1. Host has some corresponding 'error' value .(Don't trigger when 'error' is NULL)

Can we add filter in your search?
like

YOUR_SEARCH | search error!=NULL  | table host,error
  1. The email header should contain Host name and the corresponding 'error' message.
    add below line your alert in savedsearch.conf file:

    [my_alert]
    action.email.subject.alert = $result.host$ - $result.error$

Thanks

0 Karma

zacksoft
Contributor

where can I find savedsearch.conf file ? I usually click on 'edit alert' option and set things in there !!!

0 Karma

493669
Super Champion

in Settings>>Searches, reports, and alerts you can create alert

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Please check below path.

SPLUNK_HOME/etc/apps/My_APP/local/savedsearches.conf

SPLUNK_HOME/etc/users/USER_NAME/My_APP/local/savedsearches.conf
0 Karma

zacksoft
Contributor

The Query's output sort of gives result like
Host1 - minor
Host1- minor
Host1 - minor
Host1 - critical

I am getting multiple alerts for 'minor' type. I cannot reduce the cron frequency becasue I don't wanna miss the 'critical' errros. Can we may be only select the 'distinct values' of error or suppress if the same error is repeating ....

0 Karma

493669
Super Champion

Use |dedup error

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...