Alerting
Highlighted

Is it possible to setup a single alert combining two different searches to send results to two different emails?

Path Finder

Hello,
I'd like to combine the following two searches, to a single alert. The alert would send an email to a specific email, based on the results.

Search #1

sourcetype="Test Log" pizza | sendemail to=abc@mydomain.com format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #1" message=search_results 

Search #2

sourcetype="Test Log" baseball | sendemail to=def@mydomain.com format=html server=my.server.net from=Splunk.Alert@mydomain.com sendresults=true subject="search email test #2" message=search_results

Is it possible to set these up as a single alert, sending different emails based on whether "pizza" or "baseball" is found?

Or do I need to make two separate alerts for each result?

Tags (3)
0 Karma
Highlighted

Re: Is it possible to setup a single alert combining two different searches to send results to two different emails?

SplunkTrust
SplunkTrust

Is there a reason to manually use sendemail rather than using the standard email alert action?

Using that, you can define one search like this:

sourcetype="Test Log" (pizza OR baseball) | eventstats count(eval(searchmatch("pizza"))) as pizzas count(eval(searchmatch("baseball"))) as baseballs | eval to = rtrim(if(pizzas > 0, "abc@mydomain.com,", "") + if(baseballs > 0, "def@mydomain.com,", ""), ",")

Then set the To: field to $result.to$... requires 6.1 I believe.

View solution in original post

Highlighted

Re: Is it possible to setup a single alert combining two different searches to send results to two different emails?

Path Finder

No reason, I have been using that $result.<>$ parameter in the subject line of emails, but had no idea you could use it in the email To/CC/BCC fields! Awesome information, thank you. I will try this.

0 Karma
Highlighted

Re: Is it possible to setup a single alert combining two different searches to send results to two different emails?

SplunkTrust
SplunkTrust

I'm still not quite sure what you're trying to achieve by merging the two aspects into one alert though...

0 Karma
Highlighted

Re: Is it possible to setup a single alert combining two different searches to send results to two different emails?

Path Finder

We have multiple clients on different servers, and instead of creating 2 alerts for the same issue, I want to create a single alert, but send to different emails based on a host value. So if the alert goes off on the server "client01", it will send the email to client01, and if it goes off on "client02" it will be sent to "client02".

0 Karma
Highlighted

Re: Is it possible to setup a single alert combining two different searches to send results to two different emails?

SplunkTrust
SplunkTrust

Ah, so this is a per-result alert? If so then my eventstats approach may not be appropriate, as that calculates one recipient list for the entire result set... so the baseball admin would get pizzas mixed in his baseballs if both occurred in one search result set.

I don't think I've tested that so far, but you should be able to calculate a different To: address in each event and a per-result alert should mail one event to each address rather than the entire set to the first address it finds.

Highlighted

Re: Is it possible to setup a single alert combining two different searches to send results to two different emails?

Path Finder

Your solution worked perfectly for the pizza/baseball sample I provided, thank you. You are right though, it mixes them up together, so it would not be ideal for my real world scenario.

0 Karma