How to create alert based on index name to differe...

splunking4me · ‎10-11-2022

Hello,

we are ingesting data on multiple indexes for different departments. we want to create an alert when any index is not receiving logs from host should send and email to specific department mail address. we created a lookup .csv file and mention indexname and email address. below is the query which i am trying to execute but no results.

| tstats latest(_time) as latest where index=* earliest=-6h by host
| eval recent = if(latest > relative_time(now(),"-45m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
| outputlookup weblogs-index.csv
| stats values(useremail) AS emailToHeader | mvexpand emailToHeader
| map search="index | inputlookup weblogs-index.csv | where useremail=\"$emailToHeader$\"
| fields - useremail
| sendemail
sendresults=true inline=true
server=\"Your.Value.Here\"
from=\"Your.Value.Here\"
to=\"$emailToHeader$\"
subject=\"Your Subject here: \$name\$\"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| appendpipe [|inputlookup weblogs-index.csv]

How to create alert based on index name to different email address?

alert action

alert condition

email

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

Are you a member of the Splunk Community?