I created a search which displays below results:
Server component Proxy Count A AB ABC 2 A AB ABD 4 A AC ABC 2
I need to send an email for each component i.e.
Server component Proxy Count A AB ABC 2 B AB ABD 4
Server component Proxy Count A AC ABC 2
Can someone help?
I'm a tech writer here at Splunk and I work on alerting documentation. I am looking into this and will post some documentation resources that should help. I'll report back shortly!
Great. That will be really helpful. Looking forward to it.
Do you have any high level date on when this will be available as i am working on an urgent requirement.
Here is what I would suggest:
1) Set up scheduled reports that run this query for each component (not sure how many components you anticipate)
2) Set up an email action for those reports so that you get emails when the scheduled report is done. You can include information from the search results in the alert emails.
Here is some documentation on using scheduled reports:
Hope this helps! Let me know if not and we can continue discussing.
I am doing scheduled reports for this alert. But my requirement is I want to send an email based on the output of the query (see my example above).
@justinatpnnl - The recipents are going to be the same. the email content will vary based on the output as i mentioned above.
Do you need to send to different email addresses based on the component? Or just fire separate emails but all to the same address?
What if you tried something like this:
| stats list(Server) as Server, list(Proxy) as Proxy, list(Count) as Count by Component
That would give you something like this as a result, where each component has its own row (this may not display correctly below, but hopefully you get the idea):
Component Server Proxy Count AB A ABC 2 B ABD 4 AC A ABC 2
Now you can save this as an alert and fire "For each result". Would that work for you?
this is great. Yes this will defintely work for me. I was unaware of "list" argument and was using "values". Thanks a lot!!
For this described method, how do I make each multivalued field show up on a new line instead of bunched together on one line in an email alert with an Inline Table?
For example, I want the table in the email to show up like the table described in the answer. However, in my emails, I'm getting a table with "A" and "B" showing up as "A B" on one line instead of a separate row for server "B".
Yes, we also faced the same issue and it looks like a limitation with splunk. In the email the field size is determined as per the width of the column heading. So what we did is we manipulated the column width by adding spaces to the column name (it should be higher than the result's highest length):
|eval server= server." "|
Hope this helps.