All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Email alert - For a specific message in the log

motupaul
New Member
‎05-05-2017 01:55 AM

Hi Team,

With the below search query I have set the email Alert configuration, To only me as a testing which was working good.

index=index_name "Disk Alert 1 sent, Disk utilization at or near capacity"

My Quires are
1) I have mentioned, the complete line from the log file is "Disk Alert 1 sent, Disk utilization at or near capacity Partition=log, Usage=98%", So I want the email to trigger if the value is greater then 80% ? How and where this filter need to applied?

2) Alert which I created, I getting emails alerts and can able to open. Same I forward My teammate but he not able to open that, I verified Sharing category is private. In fact while I am creating the Alert I don’t see any option to select as private or public. By default it was Private.
So how can I modify that ?

3) In the same alert, I have mentioned my team DL email address instead if my ID when i try the run it is not triggering any email.
Could you please me to set email alert to the team to access/view ?

Please do let me know if my query is not clear & need any more detail information. You can email me at fine.

-Paul

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ckunath
Communicator
‎05-05-2017 09:20 AM

1) Since "Usage" is already a field with a value, you should be able to set up your alert by specifying that it should be above 80. Before that, you'll need to get rid of the "%" though

index=index_name "Disk Alert 1 sent, Disk utilization at or near capacity" | rex mode=sed field=Usage "s/%//g" | where Usage>80

2) To let your colleague look at the alert, be sure to set the alert to "Shared in App" when creating it.

3) Not sure what you mean by that, but if the problem is that your team cannot view the alert, the solution to 2) should work for this too.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ckunath
Communicator
‎05-05-2017 09:20 AM

1) Since "Usage" is already a field with a value, you should be able to set up your alert by specifying that it should be above 80. Before that, you'll need to get rid of the "%" though

index=index_name "Disk Alert 1 sent, Disk utilization at or near capacity" | rex mode=sed field=Usage "s/%//g" | where Usage>80

2) To let your colleague look at the alert, be sure to set the alert to "Shared in App" when creating it.

3) Not sure what you mean by that, but if the problem is that your team cannot view the alert, the solution to 2) should work for this too.

0 Karma
Reply
Solved! Jump to solution

motupaul
New Member
‎06-05-2018 03:01 AM

Thank you very much for the answer

0 Karma
Reply
Solved! Jump to solution

motupaul
New Member
‎05-07-2017 09:08 PM

Thank you for the response.

Where can i find the option/label to set to "Shared in APP" while creating the alert. And also in Run as what difference if we select "Owner or user"
alt text
alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...