Alerting

Is it possible to create an email notification based off an error report?

cbiraris
Path Finder

Hello Team,

Is it possible to created error report to run every 30 minutes, but mail notification will be raised only if the ERROR  events are generated 20 in last 30 minutes.

Example:

Index=ABC sourcetype=XYZ  "ERROR"=999

I need help to created Report like this

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

as I said, you have to create two different ojects:

  • a report that is sent in every condition,
  • an alert that fires when there's your condition (count>20) and has as attachent the report.

They uses the same search, but the alert has the additional conditin count>20.

Ciao.

Giuseppe

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Splunk calls such reports "alerts".

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

let me understand: you want to fire the alert if the alert was fired 20 times, is it correct?

In this case you have to create two alerts:

  1. the first has to check your condition and the only related action is to write an event in a summary index, no eMail,
  2. the second is on the summary index and checks if you had 20 alerts in the last 30 minutes and has the action to send the eMail.

Ciao.

Giuseppe

cbiraris
Path Finder

@gcusello  

Thank you for writing me back.

I want to created a report which will run every 30minutes. but if the ERROR events are 20 in last 30 minutes then its only trigger email notification  like alerts dose normally. 

I know it can be possible by lookup. but not sure how to created it . could you please help with sample_code and direction .

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris.

let me understand:

  • you need a report scheduled every 30 minutes to create every time,
  • then you need an alert than if you have more than 20 values has to send an eMail,

is it correct?

If this is your need, you can create two objects:

  • a report scheduled every 30 minutes,
  • an alert that fires if there are more than 20 values and sends an eMail.

Ciao.

Giuseppe

cbiraris
Path Finder

@gcusello 

Yes you are right. I need both Report and Alert. but If alert fires, email should contain report.

so, is it possible ?

Thank you 🙂    

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

as I said, you have to create two different ojects:

  • a report that is sent in every condition,
  • an alert that fires when there's your condition (count>20) and has as attachent the report.

They uses the same search, but the alert has the additional conditin count>20.

Ciao.

Giuseppe

cbiraris
Path Finder

Wow..! Thank you so much @gcusello 

its worked. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

scelikok
SplunkTrust
SplunkTrust

Hi @cbiraris,

You can filter event count like below and save as an alert;

index=ABC sourcetype=XYZ "ERROR"=999 | stats count | search count>20

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...