- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to send email alert to different users bas...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alert search query goes like:
index=oraclecon2 source=OracleCon2 sourcetype=OracleCon2 earliest=-10m@m latest=now BranchIdentifier=* | sort _time | stats avg(EWS) as EwsNow by SensorId BranchIdentifier| appendcols [search index=oraclecon2 source=OracleCon2 sourcetype=OracleCon2 earliest=-20m@m latest=-10m@m BranchIdentifier=* | sort _time | stats avg(EWS) as EwsThen by SensorId BranchIdentifier ] | eval difference=(EwsNow-EwsThen) | eval SendAlert= case(difference < 0.5,"No",difference > 0.5,"Yes") | search SendAlert="Yes" | table BranchIdentifier SensorId EwsThen EwsNow | dedup SensorId
It provides me data as:
BranchIdentifier SensorId EwsThen EwsNow
1 1 6 7
1 2 7 8
2 7 8 9
4 11 2 4
Now I want to send this email to different branch manager of branches 1, 2 and 4 and want to attach only part of alert result that is related to their branch. I have many branches in the same index so I don't want to create separate alerts for each of them
I am new to splunk so not very well strong with search language, please help me with possible modifications that should do to this alert search to solve the problem
Thanks,
Zubair
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here is some documentation on email alerts. You can send an alert email to different recipients based on search results by adding an eval statement in the search:
...|eval email=case(SendAlert="Yes" AND BranchIdentifier=1,"email@branch.com"....)...
and in your To box on the alert, add $result.email$
http://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/Emailnotification#Send_email_to_different_re...
This Answers may be of help, though, also:
https://answers.splunk.com/answers/306424/how-to-set-a-custom-alert-condition-to-send-multip.html
Infographic provides the TL;DR for the 2023 Splunk Career Impact Report
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
