Alerting

Mail Alert with multiple informations

CesarCrt
Path Finder

Hello everyone,

There is my search :

my_severity=error my_app="name" earliest=-48h latest=-24h
  | stats count as nb_yesterday by my_method limit=0
  | appendcols[search my_severity=error my_app="name" earliest=-24h latest=now | stats count as nb_today by my_method]
  | eval increase=round(nb_today*100/nb_yesterday)
  | eval status=if(increase>100 OR nb_today>10, "CRITICAL", "GOOD")
  | table my_method, nb_yesterday, increase, status, nb_today
  | sort nb_today desc

my_severity, my_app and my_method are fields that i created myself

with my search, i get multiple results (and multiple lines) and i want to send one mail with the list of CRITICAL status like :

"Hello, we notice some errors :

[name of the method(1)] [status] [increase] [nb_today]

[name of the method(2)] [status] [increase] [nb_today]

[name of the method(3)] [status] [increase] [nb_today]

... "

 

How can i send a mail with all the "CRITICAL" status for exemple ?

 

When i configure the mail alert with this body message : 

"The method "$result.my_method$" was $result.status$ with $result.nb_today$ errors in the last 24hours. (That's a $result.increase$% increase) "

I only send a mail with the informations of the first line. 

 

Thanks.

 

Labels (2)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

hi @CesarCrt ,

You can use strcat to create the message for each row and use mvcombine to combine all the message field values into a single value.

| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

Sample query:

| makeresults 
| eval _raw="my_method status increase nb_today
method(1) status1 10 nb_today1
method(2) status2 20 nb_today2
method(3) status3 30 nb_today3" 
| multikv forceheader=1 
| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

----

If this reply helps you, a like would be appreciated.

View solution in original post

CesarCrt
Path Finder

Hello @manjunathmeti ,

Thanks for your answer.

I tried it and i received one mail for every different error. (50 different mails) 

I want to put ALL different errors in ONE mail.

 

(sorry for my bad english)

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

It is not a good idea to put all alert results in email body. You can enable attach CSV/PDF file to the email. This will send all the results in a CSV/PDF file attached to the email. 

0 Karma

CesarCrt
Path Finder

That was my second option. I was thinking about an external python script who deals with all the results on a CSV file.

If you have the command to put all the alert in one mail, i would like to make some tests. 

Thanks for your swiftness @manjunathmeti 

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

There is an option to enable attach CSV file email option in the email alert action edit page.

0 Karma

CesarCrt
Path Finder

I may have expressed myself badly.

I know about the CSV attachment but i was asking about the command to see literally all the alert in the body mail and not in a side file.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

hi @CesarCrt ,

You can use strcat to create the message for each row and use mvcombine to combine all the message field values into a single value.

| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

Sample query:

| makeresults 
| eval _raw="my_method status increase nb_today
method(1) status1 10 nb_today1
method(2) status2 20 nb_today2
method(3) status3 30 nb_today3" 
| multikv forceheader=1 
| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

----

If this reply helps you, a like would be appreciated.

manjunathmeti
SplunkTrust
SplunkTrust

hi @CesarCrt ,

You need to set Trigger to For each result. This will trigger alert action for each row.

manjunathmeti_0-1611319139028.png

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...