Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a lookup to send multiple different emails in an alert

djemodjenai
Explorer
‎01-16-2020 11:13 AM

I am using a lookup with a list of hosts, thresholds an email addresses to dynamically send email alerts when a threshold is hit.

It works well when there is a simple mapping:
host1 email1
host2 email1

But it's not working when it's:

host1 email1
host1 email2

The lookup looks like this:
alt text

My search is:

(mysearch calculating a rate)
| stats min(rate) as min_rate by host
| lookup mylookup.csv host OUTPUT threshold mail
| where min_rate > threshold | fields host min_rate mail threshold

Then, it sends an email using $result.mail$ within the savedsearches parameters (alert).

The problem is that it groups the results with host1 -> list of emails, hence it fails to separate the different email adresses as $result.mail$.alt text

The result looks like this:
host1 email1.com
-------- email2.com

Instead of this:
host1 email1.com
host1 email2.com

It's probably because of the "by host" in my search, is there a way to make the results "for each"?

Can anyone help me?
I tried playing with the lookup parameters, but I'm stuck... Thanks in advance.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acfecondo75
Path Finder
‎01-16-2020 12:01 PM

Hi @djemodjenai

Try piping the current search that you have into this:

| stats values(min_use_rate) as min_use_rate values(threshold) as threshold by host, mail

I think this should break down your results so you have one row per host and mail combination.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

acfecondo75
Path Finder
‎01-16-2020 12:01 PM

Hi @djemodjenai

Try piping the current search that you have into this:

| stats values(min_use_rate) as min_use_rate values(threshold) as threshold by host, mail

I think this should break down your results so you have one row per host and mail combination.

0 Karma
Reply
Solved! Jump to solution

acfecondo75
Path Finder
‎01-16-2020 12:39 PM

If that doesn't work, you can do
| mvexpand mail
this should create an individual row entry for each value in the mail field.

0 Karma
Reply
Solved! Jump to solution

acfecondo75
Path Finder
‎01-16-2020 12:29 PM

Yeah so you do it at the end after you've run the lookup to add those fields...

0 Karma
Reply
Solved! Jump to solution

djemodjenai
Explorer
‎01-16-2020 11:28 PM

You're right, it works when I pipe after the lookup. I changed your suggestion a little bit to make it work:

[mysearch] |mylookup.csv host OUTPUT threshold mail
| stats min(use_rate) as min_use_rate values(threshold) as threshold by host, mail
| where min_use_rate > threshold | fields host min_use_rate mail threshold

It separates the result as wanted. Now I have to test it IRL.

This is brilliant, thank you @acfecondo75 for your time!

0 Karma
Reply
Solved! Jump to solution

djemodjenai
Explorer
‎01-16-2020 12:27 PM

I see what you are trying to do, but there are no threshold nor mail in the initial query. They are brought up with the lookup, so it doesn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...