I'd like to combine the following two searches, to a single alert. The alert would send an email to a specific email, based on the results.
sourcetype="Test Log" pizza | sendemail email@example.com format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #1" message=search_results
sourcetype="Test Log" baseball | sendemail firstname.lastname@example.org format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #2" message=search_results
Is it possible to set these up as a single alert, sending different emails based on whether "pizza" or "baseball" is found?
Or do I need to make two separate alerts for each result?
Is there a reason to manually use
sendemail rather than using the standard email alert action?
Using that, you can define one search like this:
sourcetype="Test Log" (pizza OR baseball) | eventstats count(eval(searchmatch("pizza"))) as pizzas count(eval(searchmatch("baseball"))) as baseballs | eval to = rtrim(if(pizzas > 0, "email@example.com,", "") + if(baseballs > 0, "firstname.lastname@example.org,", ""), ",")
Then set the
To: field to
$result.to$... requires 6.1 I believe.
No reason, I have been using that $result.<>$ parameter in the subject line of emails, but had no idea you could use it in the email To/CC/BCC fields! Awesome information, thank you. I will try this.
I'm still not quite sure what you're trying to achieve by merging the two aspects into one alert though...
We have multiple clients on different servers, and instead of creating 2 alerts for the same issue, I want to create a single alert, but send to different emails based on a host value. So if the alert goes off on the server "client01", it will send the email to client01, and if it goes off on "client02" it will be sent to "client02".
Ah, so this is a per-result alert? If so then my
eventstats approach may not be appropriate, as that calculates one recipient list for the entire result set... so the baseball admin would get pizzas mixed in his baseballs if both occurred in one search result set.
I don't think I've tested that so far, but you should be able to calculate a different
To: address in each event and a per-result alert should mail one event to each address rather than the entire set to the first address it finds.
Your solution worked perfectly for the pizza/baseball sample I provided, thank you. You are right though, it mixes them up together, so it would not be ideal for my real world scenario.