Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mail in splunk

logloganathan
Motivator
‎06-08-2018 06:18 AM

i have written splunk query
index=aaa sourcetype=xyz | stats count by xxx

i want to mail only if count greater than 0 to xyz@xyz.com and if count greater than 10 then mail to abcd@xyz.com

Could you please help

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎06-08-2018 06:33 AM 
index=aaa sourcetype=xyz | stats count as total by xxx |eval a=if(total >0 ,"abc@gmail.com",case(total>10,"xyz@gmail.com")) | sendemail to=$result.a$  format="html" server=smtp.xxx.com:123 use_tls=1 subject="Alert for Data" message="This is an alert  data" sendpdf=true
Thanks
Harish

View solution in original post

Reply
Solved! Jump to solution

ppatrikfr
Path Finder
‎06-08-2018 06:40 AM

Well I dont know if its gonna help you but you can use a schedule search with |sendemail command on it, you can make two different searchs and put a | where conditional for one search up to 0 but less than 10 and another search with greater than 10.

it will be something like this

index=aaa sourcetype=xyz | stats count by xxx
| where count > 0 || count < 10
|sendemail to="emailreceiver@emai.com"

look at this link for more information about sendemail: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Sendemail

and second search will be like

index=aaa sourcetype=xyz | stats count by xxx
| where count > 10
|sendemail to="emailreceiver@emai.com"

Hope it works, if didn't just tell me if you are making an alert of something else, see ya!! 😉

0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎06-08-2018 06:33 AM 
index=aaa sourcetype=xyz | stats count as total by xxx |eval a=if(total >0 ,"abc@gmail.com",case(total>10,"xyz@gmail.com")) | sendemail to=$result.a$  format="html" server=smtp.xxx.com:123 use_tls=1 subject="Alert for Data" message="This is an alert  data" sendpdf=true
Thanks
Harish
Reply
Solved! Jump to solution

logloganathan
Motivator
‎06-08-2018 07:07 AM

thanks for your answer!!

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...