I currently have two scheduled alerts that sendmail when the alert is triggered. The problem is that I would like to create just one alert with multiple conditions where if some_field = a then sendmail To: Recipient1 with Message: Event "a" occurred , please follow process "a". And if some_field = b then sendmail To: Recipient2 with Message: Event "b" occurred, please follow process "b", etc.
Some will probably suggest, just create separate alerts... which would work, but we don't want to overload the system with too many real-time or scheduled searches.
I was thinking about using eval with sendmail but need a little help with writing the code.
Thanks
Hi @packet_hunter,
It sounds like you could use eval match to check for the field value that determines the recipient and content of your message, then use tokens to represent the field and recipient values. Set the recipient value conditionally depending on what the field value is, and use the tokenized field value in your email message to customize it.
See:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/EmailNotificationTokens
and
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eval
Here's an example use of eval + match to evaluate the "source" field for different values and set the "env" token accordingly. This search was used to generate form input labels.
<search>
<query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
</search>
Hi @packet_hunter,
It sounds like you could use eval match to check for the field value that determines the recipient and content of your message, then use tokens to represent the field and recipient values. Set the recipient value conditionally depending on what the field value is, and use the tokenized field value in your email message to customize it.
See:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/EmailNotificationTokens
and
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Eval
Here's an example use of eval + match to evaluate the "source" field for different values and set the "env" token accordingly. This search was used to generate form input labels.
<search>
<query>index=_internal | stats count by source |eval env=case(match(source,"metrics.*"),"Metrics", match(source,"license.*"),"License", match(source,"scheduler.*"), "Scheduler") | dedup env | table env</query>
</search>
As an alternative, may I suggest sendresults ? I've used this to send different results to different people within the same alert, it also works by using eval's as above...
Do you have a token example by chance? Thank you
You can take a look at:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Alertexamples
which includes an example of adding tokens to the email notifcation configuration fields
and
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Emailnotification
If you're new to working with tokens, we have an overview here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens
This topic discusses token usage in a dashboard context, but the general idea (using tokens to represent dynamic values) is the same.
Hope that helps!
Also, here's an example of a query that lets you send notifications to different recipients based on a field count. It sounds pretty similar to what you're doing.
Thank you for the reply, I will look into it and try it and let you know.