How to generate multiple alert email based on 2 co...

Roopaul · ‎06-02-2016

Hi,

I have a requirement to generate alerts every 15 mins if a particular condition occurs. Then I need to group data from a few server in one alert and data from other set of server in another alert.
srvrA - srvr1,srvr2
srvrB - srvr3,srvr4,srvr5

Could you please help me how to use the condition from same query and send 2 different emails.

nunoaragao · ‎03-31-2017

If you add the recipients on a new column, you can configure the alert to send to $results.recipient$, and must set the alert to process a new email for each result. You can even aggregate the results with values() or list() so that each recipient only receives one alert. ( Tested on 6.5.x )

stats values(fieldA) values(fieldB) values(_raw) by recipient

on savedsearches.conf :
action.email.to = $result.recipient$
alert.digest_mode = 0

jhall_101215 · ‎03-30-2017

Not sure if this is what you were aiming for but martin had a good suggestion here: https://answers.splunk.com/answers/499889/send-emails-to-users-based-on-different-condtions.html

c_krishna_gutur · ‎02-07-2017

@Roopal: Even i got similar kind of requirement, did u find any solution for sending multiple alerts?

sundareshr · ‎06-02-2016

Create two alerts, both to run every 15mins looking for similar conditions to occur. Example

*Alert 1*
host=srvr1 OR host=srvr2 | stats count on alertcondition

*Alert 2*
host=srvr3 OR host=srvr4 OR host=srvr5 | stats count on alertcondition

Then setup alerts for each of these searches.

Roopaul · ‎06-03-2016

Thanks sundareshr.

Yes, I am aware of it that 2 different alerts can be created. But i would like to know if there is a way this can be handled in a single alert or single saved search.

How to generate multiple alert email based on 2 conditions?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes