Alerting

Is it possible to setup a single alert combining two different searches to send results to two different emails?

RecoMark0
Path Finder

Hello,
I'd like to combine the following two searches, to a single alert. The alert would send an email to a specific email, based on the results.

Search #1

sourcetype="Test Log" pizza | sendemail to=abc@mydomain.com format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #1" message=search_results 

Search #2

sourcetype="Test Log" baseball | sendemail to=def@mydomain.com format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #2" message=search_results

Is it possible to set these up as a single alert, sending different emails based on whether "pizza" or "baseball" is found?

Or do I need to make two separate alerts for each result?

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Is there a reason to manually use sendemail rather than using the standard email alert action?

Using that, you can define one search like this:

sourcetype="Test Log" (pizza OR baseball) | eventstats count(eval(searchmatch("pizza"))) as pizzas count(eval(searchmatch("baseball"))) as baseballs | eval to = rtrim(if(pizzas > 0, "abc@mydomain.com,", "") + if(baseballs > 0, "def@mydomain.com,", ""), ",")

Then set the To: field to $result.to$... requires 6.1 I believe.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Is there a reason to manually use sendemail rather than using the standard email alert action?

Using that, you can define one search like this:

sourcetype="Test Log" (pizza OR baseball) | eventstats count(eval(searchmatch("pizza"))) as pizzas count(eval(searchmatch("baseball"))) as baseballs | eval to = rtrim(if(pizzas > 0, "abc@mydomain.com,", "") + if(baseballs > 0, "def@mydomain.com,", ""), ",")

Then set the To: field to $result.to$... requires 6.1 I believe.

RecoMark0
Path Finder

Your solution worked perfectly for the pizza/baseball sample I provided, thank you. You are right though, it mixes them up together, so it would not be ideal for my real world scenario.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ah, so this is a per-result alert? If so then my eventstats approach may not be appropriate, as that calculates one recipient list for the entire result set... so the baseball admin would get pizzas mixed in his baseballs if both occurred in one search result set.

I don't think I've tested that so far, but you should be able to calculate a different To: address in each event and a per-result alert should mail one event to each address rather than the entire set to the first address it finds.

RecoMark0
Path Finder

We have multiple clients on different servers, and instead of creating 2 alerts for the same issue, I want to create a single alert, but send to different emails based on a host value. So if the alert goes off on the server "client01", it will send the email to client01, and if it goes off on "client02" it will be sent to "client02".

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm still not quite sure what you're trying to achieve by merging the two aspects into one alert though...

0 Karma

RecoMark0
Path Finder

No reason, I have been using that $result.<>$ parameter in the subject line of emails, but had no idea you could use it in the email To/CC/BCC fields! Awesome information, thank you. I will try this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...