Alerting

Mail Alert with multiple informations

CesarCrt
Path Finder

Hello everyone,

There is my search :

my_severity=error my_app="name" earliest=-48h latest=-24h
  | stats count as nb_yesterday by my_method limit=0
  | appendcols[search my_severity=error my_app="name" earliest=-24h latest=now | stats count as nb_today by my_method]
  | eval increase=round(nb_today*100/nb_yesterday)
  | eval status=if(increase>100 OR nb_today>10, "CRITICAL", "GOOD")
  | table my_method, nb_yesterday, increase, status, nb_today
  | sort nb_today desc

my_severity, my_app and my_method are fields that i created myself

with my search, i get multiple results (and multiple lines) and i want to send one mail with the list of CRITICAL status like :

"Hello, we notice some errors :

[name of the method(1)] [status] [increase] [nb_today]

[name of the method(2)] [status] [increase] [nb_today]

[name of the method(3)] [status] [increase] [nb_today]

... "

 

How can i send a mail with all the "CRITICAL" status for exemple ?

 

When i configure the mail alert with this body message : 

"The method "$result.my_method$" was $result.status$ with $result.nb_today$ errors in the last 24hours. (That's a $result.increase$% increase) "

I only send a mail with the informations of the first line. 

 

Thanks.

 

Labels (2)
0 Karma
1 Solution

manjunathmeti
Champion

hi @CesarCrt ,

You can use strcat to create the message for each row and use mvcombine to combine all the message field values into a single value.

| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

Sample query:

| makeresults 
| eval _raw="my_method status increase nb_today
method(1) status1 10 nb_today1
method(2) status2 20 nb_today2
method(3) status3 30 nb_today3" 
| multikv forceheader=1 
| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

----

If this reply helps you, a like would be appreciated.

View solution in original post

CesarCrt
Path Finder

Hello @manjunathmeti ,

Thanks for your answer.

I tried it and i received one mail for every different error. (50 different mails) 

I want to put ALL different errors in ONE mail.

 

(sorry for my bad english)

0 Karma

manjunathmeti
Champion

It is not a good idea to put all alert results in email body. You can enable attach CSV/PDF file to the email. This will send all the results in a CSV/PDF file attached to the email. 

0 Karma

CesarCrt
Path Finder

That was my second option. I was thinking about an external python script who deals with all the results on a CSV file.

If you have the command to put all the alert in one mail, i would like to make some tests. 

Thanks for your swiftness @manjunathmeti 

0 Karma

manjunathmeti
Champion

There is an option to enable attach CSV file email option in the email alert action edit page.

0 Karma

CesarCrt
Path Finder

I may have expressed myself badly.

I know about the CSV attachment but i was asking about the command to see literally all the alert in the body mail and not in a side file.

0 Karma

manjunathmeti
Champion

hi @CesarCrt ,

You can use strcat to create the message for each row and use mvcombine to combine all the message field values into a single value.

| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

Sample query:

| makeresults 
| eval _raw="my_method status increase nb_today
method(1) status1 10 nb_today1
method(2) status2 20 nb_today2
method(3) status3 30 nb_today3" 
| multikv forceheader=1 
| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

----

If this reply helps you, a like would be appreciated.

manjunathmeti
Champion

hi @CesarCrt ,

You need to set Trigger to For each result. This will trigger alert action for each row.

manjunathmeti_0-1611319139028.png

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...