Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Mail Alert with multiple informations

CesarCrt
Path Finder
‎01-22-2021 03:01 AM

Hello everyone,

There is my search :

my_severity=error my_app="name" earliest=-48h latest=-24h
  | stats count as nb_yesterday by my_method limit=0
  | appendcols[search my_severity=error my_app="name" earliest=-24h latest=now | stats count as nb_today by my_method]
  | eval increase=round(nb_today*100/nb_yesterday)
  | eval status=if(increase>100 OR nb_today>10, "CRITICAL", "GOOD")
  | table my_method, nb_yesterday, increase, status, nb_today
  | sort nb_today desc

my_severity, my_app and my_method are fields that i created myself

with my search, i get multiple results (and multiple lines) and i want to send one mail with the list of CRITICAL status like :

"Hello, we notice some errors :

[name of the method(1)] [status] [increase] [nb_today]

[name of the method(2)] [status] [increase] [nb_today]

[name of the method(3)] [status] [increase] [nb_today]

... "

 

How can i send a mail with all the "CRITICAL" status for exemple ?

 

When i configure the mail alert with this body message : 

"The method "$result.my_method$" was $result.status$ with $result.nb_today$ errors in the last 24hours. (That's a $result.increase$% increase) "

I only send a mail with the informations of the first line. 

 

Thanks.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-22-2021 10:41 PM

hi @CesarCrt ,

You can use strcat to create the message for each row and use mvcombine to combine all the message field values into a single value.

| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

Sample query:

| makeresults 
| eval _raw="my_method status increase nb_today
method(1) status1 10 nb_today1
method(2) status2 20 nb_today2
method(3) status3 30 nb_today3" 
| multikv forceheader=1 
| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

----

If this reply helps you, a like would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

CesarCrt
Path Finder
‎01-22-2021 05:51 AM

Hello @manjunathmeti ,

Thanks for your answer.

I tried it and i received one mail for every different error. (50 different mails) 

I want to put ALL different errors in ONE mail.

 

(sorry for my bad english)

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-22-2021 05:59 AM

It is not a good idea to put all alert results in email body. You can enable attach CSV/PDF file to the email. This will send all the results in a CSV/PDF file attached to the email. 

0 Karma
Reply
Solved! Jump to solution

CesarCrt
Path Finder
‎01-22-2021 06:07 AM

That was my second option. I was thinking about an external python script who deals with all the results on a CSV file.

If you have the command to put all the alert in one mail, i would like to make some tests. 

Thanks for your swiftness @manjunathmeti 

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-22-2021 07:08 AM

There is an option to enable attach CSV file email option in the email alert action edit page.

0 Karma
Reply
Solved! Jump to solution

CesarCrt
Path Finder
‎01-22-2021 07:16 AM

I may have expressed myself badly.

I know about the CSV attachment but i was asking about the command to see literally all the alert in the body mail and not in a side file.

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-22-2021 10:41 PM

hi @CesarCrt ,

You can use strcat to create the message for each row and use mvcombine to combine all the message field values into a single value.

| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

Sample query:

| makeresults 
| eval _raw="my_method status increase nb_today
method(1) status1 10 nb_today1
method(2) status2 20 nb_today2
method(3) status3 30 nb_today3" 
| multikv forceheader=1 
| strcat "The method ",my_method," was ",status," with ",nb_today," errors in the last 24hours. (That's a ",increase,"% increase)" message 
| fields message 
| mvcombine message delim="; " 
| nomv message

----

If this reply helps you, a like would be appreciated.

Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-22-2021 04:41 AM

hi @CesarCrt ,

You need to set Trigger to For each result. This will trigger alert action for each row.

manjunathmeti_0-1611319139028.png

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...