Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to generate multiple alert email based on 2 co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to generate multiple alert email based on 2 conditions?
Hi,
I have a requirement to generate alerts every 15 mins if a particular condition occurs. Then I need to group data from a few server in one alert and data from other set of server in another alert.
srvrA - srvr1,srvr2
srvrB - srvr3,srvr4,srvr5
Email for srvrA:
fieldA | field B | _raw
A1 | B1 | Event1
A1 | B2 | Event2
Email for srvrB:
fieldA | fieldB | _raw
A3 | B3 | Event1
A1 | B3 | Event2
Could you please help me how to use the condition from same query and send 2 different emails.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you add the recipients on a new column, you can configure the alert to send to $results.recipient$, and must set the alert to process a new email for each result. You can even aggregate the results with values() or list() so that each recipient only receives one alert. ( Tested on 6.5.x )
stats values(fieldA) values(fieldB) values(_raw) by recipient
fieldA | field B | _raw | recipient
A1 | B1 | Event1 | ServersA@xxx.xx
A1 | B2 | Event2 |
A3 | B3 | Event1 | ServersB@xxx.xx
A1 | B3 | Event2 |
on savedsearches.conf :
action.email.to = $result.recipient$
alert.digest_mode = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if this is what you were aiming for but martin had a good suggestion here: https://answers.splunk.com/answers/499889/send-emails-to-users-based-on-different-condtions.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Roopal: Even i got similar kind of requirement, did u find any solution for sending multiple alerts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create two alerts, both to run every 15mins looking for similar conditions to occur. Example
*Alert 1*
host=srvr1 OR host=srvr2 | stats count on alertcondition
*Alert 2*
host=srvr3 OR host=srvr4 OR host=srvr5 | stats count on alertcondition
Then setup alerts for each of these searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks sundareshr.
Yes, I am aware of it that 2 different alerts can be created. But i would like to know if there is a way this can be handled in a single alert or single saved search.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
