Alerting

Is it possible to setup a single alert combining two different searches to send results to two different emails?

RecoMark0
Path Finder

Hello,
I'd like to combine the following two searches, to a single alert. The alert would send an email to a specific email, based on the results.

Search #1

sourcetype="Test Log" pizza | sendemail to=abc@mydomain.com format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #1" message=search_results 

Search #2

sourcetype="Test Log" baseball | sendemail to=def@mydomain.com format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #2" message=search_results

Is it possible to set these up as a single alert, sending different emails based on whether "pizza" or "baseball" is found?

Or do I need to make two separate alerts for each result?

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Is there a reason to manually use sendemail rather than using the standard email alert action?

Using that, you can define one search like this:

sourcetype="Test Log" (pizza OR baseball) | eventstats count(eval(searchmatch("pizza"))) as pizzas count(eval(searchmatch("baseball"))) as baseballs | eval to = rtrim(if(pizzas > 0, "abc@mydomain.com,", "") + if(baseballs > 0, "def@mydomain.com,", ""), ",")

Then set the To: field to $result.to$... requires 6.1 I believe.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Is there a reason to manually use sendemail rather than using the standard email alert action?

Using that, you can define one search like this:

sourcetype="Test Log" (pizza OR baseball) | eventstats count(eval(searchmatch("pizza"))) as pizzas count(eval(searchmatch("baseball"))) as baseballs | eval to = rtrim(if(pizzas > 0, "abc@mydomain.com,", "") + if(baseballs > 0, "def@mydomain.com,", ""), ",")

Then set the To: field to $result.to$... requires 6.1 I believe.

RecoMark0
Path Finder

Your solution worked perfectly for the pizza/baseball sample I provided, thank you. You are right though, it mixes them up together, so it would not be ideal for my real world scenario.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ah, so this is a per-result alert? If so then my eventstats approach may not be appropriate, as that calculates one recipient list for the entire result set... so the baseball admin would get pizzas mixed in his baseballs if both occurred in one search result set.

I don't think I've tested that so far, but you should be able to calculate a different To: address in each event and a per-result alert should mail one event to each address rather than the entire set to the first address it finds.

RecoMark0
Path Finder

We have multiple clients on different servers, and instead of creating 2 alerts for the same issue, I want to create a single alert, but send to different emails based on a host value. So if the alert goes off on the server "client01", it will send the email to client01, and if it goes off on "client02" it will be sent to "client02".

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm still not quite sure what you're trying to achieve by merging the two aspects into one alert though...

0 Karma

RecoMark0
Path Finder

No reason, I have been using that $result.<>$ parameter in the subject line of emails, but had no idea you could use it in the email To/CC/BCC fields! Awesome information, thank you. I will try this.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...