Alerting

Using a lookup to send multiple different emails in an alert

djemodjenai
Explorer

I am using a lookup with a list of hosts, thresholds an email addresses to dynamically send email alerts when a threshold is hit.

It works well when there is a simple mapping:
host1 email1
host2 email1

But it's not working when it's:

host1 email1
host1 email2

The lookup looks like this:
alt text

My search is:

(mysearch calculating a rate)
| stats min(rate) as min_rate by host
| lookup mylookup.csv host OUTPUT threshold mail
| where min_rate > threshold | fields host min_rate mail threshold

Then, it sends an email using $result.mail$ within the savedsearches parameters (alert).

The problem is that it groups the results with host1 -> list of emails, hence it fails to separate the different email adresses as $result.mail$.alt text

The result looks like this:
host1 email1.com
-------- email2.com

Instead of this:
host1 email1.com
host1 email2.com

It's probably because of the "by host" in my search, is there a way to make the results "for each"?

Can anyone help me?
I tried playing with the lookup parameters, but I'm stuck... Thanks in advance.

0 Karma
1 Solution

acfecondo75
Path Finder

Hi @djemodjenai

Try piping the current search that you have into this:

| stats values(min_use_rate) as min_use_rate values(threshold) as threshold by host, mail

I think this should break down your results so you have one row per host and mail combination.

View solution in original post

0 Karma

acfecondo75
Path Finder

Hi @djemodjenai

Try piping the current search that you have into this:

| stats values(min_use_rate) as min_use_rate values(threshold) as threshold by host, mail

I think this should break down your results so you have one row per host and mail combination.

0 Karma

acfecondo75
Path Finder

If that doesn't work, you can do
| mvexpand mail
this should create an individual row entry for each value in the mail field.

0 Karma

acfecondo75
Path Finder

Yeah so you do it at the end after you've run the lookup to add those fields...

0 Karma

djemodjenai
Explorer

You're right, it works when I pipe after the lookup. I changed your suggestion a little bit to make it work:

[mysearch] |mylookup.csv host OUTPUT threshold mail
| stats min(use_rate) as min_use_rate values(threshold) as threshold by host, mail
| where min_use_rate > threshold | fields host min_use_rate mail threshold

It separates the result as wanted. Now I have to test it IRL.

This is brilliant, thank you @acfecondo75 for your time!

0 Karma

djemodjenai
Explorer

I see what you are trying to do, but there are no threshold nor mail in the initial query. They are brought up with the lookup, so it doesn't work.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...