Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to set conditions for an alert to "sendmail" custom messages based on different values of certain fields?

packet_hunter
Contributor
‎02-02-2017 10:45 AM

I currently have two scheduled alerts that sendmail when the alert is triggered. The problem is that I would like to create just one alert with multiple conditions where if some_field = a then sendmail To: Recipient1 with Message: Event "a" occurred , please follow process "a". And if some_field = b then sendmail To: Recipient2 with Message: Event "b" occurred, please follow process "b", etc.

Some will probably suggest, just create separate alerts... which would work, but we don't want to overload the system with too many real-time or scheduled searches.

I was thinking about using eval with sendmail but need a little help with writing the code.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎02-02-2017 02:52 PM

Hi @packet_hunter,
It sounds like you could use eval match to check for the field value that determines the recipient and content of your message, then use tokens to represent the field and recipient values. Set the recipient value conditionally depending on what the field value is, and use the tokenized field value in your email message to customize it.

See:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/EmailNotificationTokens
and
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eval

Here's an example use of eval + match to evaluate the "source" field for different values and set the "env" token accordingly. This search was used to generate form input labels. 

<search>
      <query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
    </search>

source: https://answers.splunk.com/answers/495097/why-is-my-dashboard-search-not-getting-updated-wit.html#co...

View solution in original post

Reply
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎02-02-2017 02:52 PM

Hi @packet_hunter,
It sounds like you could use eval match to check for the field value that determines the recipient and content of your message, then use tokens to represent the field and recipient values. Set the recipient value conditionally depending on what the field value is, and use the tokenized field value in your email message to customize it.

See:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/EmailNotificationTokens
and
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eval

Here's an example use of eval + match to evaluate the "source" field for different values and set the "env" token accordingly. This search was used to generate form input labels. 

<search>
      <query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
    </search>

source: https://answers.splunk.com/answers/495097/why-is-my-dashboard-search-not-getting-updated-wit.html#co...

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎02-04-2017 01:02 PM

As an alternative, may I suggest sendresults ? I've used this to send different results to different people within the same alert, it also works by using eval's as above...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎02-03-2017 02:45 PM

Do you have a token example by chance? Thank you

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎02-03-2017 02:58 PM

You can take a look at:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Alertexamples

which includes an example of adding tokens to the email notifcation configuration fields

and

http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Emailnotification

If you're new to working with tokens, we have an overview here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens

This topic discusses token usage in a dashboard context, but the general idea (using tokens to represent dynamic values) is the same.

Hope that helps!

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎02-03-2017 03:03 PM

Also, here's an example of a query that lets you send notifications to different recipients based on a field count. It sounds pretty similar to what you're doing.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Emailnotification#Send_email_to_different_re...

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎02-03-2017 07:29 AM

Thank you for the reply, I will look into it and try it and let you know.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...