Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to customize email alerts for recipients?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have the following alert search:
index=mlbso_changelog (crash_context OR crash_stack OR crash_shortinfo) AND source="*crash*" NOT "Table of contents" | rex field=source "(?<filename>[\w\d\.-]+$)"
The idea is to notify the system responsibles on the crashes happening in the corresponding systems. The search itself goes over the crashdump files of many systems, the only differentiation would be then over the field filename.
Now, I would like to keep it simple and have only one alert for all the systems, but depending on the content of the filename trigger the alert e-mail to the specific recipient group, like for the filename 'A' to the defined e-mail group "Owner A", etc. These are not the same people.
How would I do it?
Kind Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could include a lookup in your search, which maps the recipient email address according to the filename:
index=mlbso_changelog (crash_context OR crash_stack OR crash_shortinfo) AND source="*crash*" NOT "Table of contents" | rex field=source "(?<filename>[\w\d\.-]+$)" | lookup email_mapping filename OUTPUT recipient_mail
Then use the variable in your alert by setting the recipient field as $result.recipient_mail$
See https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens for further details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could include a lookup in your search, which maps the recipient email address according to the filename:
index=mlbso_changelog (crash_context OR crash_stack OR crash_shortinfo) AND source="*crash*" NOT "Table of contents" | rex field=source "(?<filename>[\w\d\.-]+$)" | lookup email_mapping filename OUTPUT recipient_mail
Then use the variable in your alert by setting the recipient field as $result.recipient_mail$
See https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens for further details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DMohn
Thank you, I implemented your idea and it works perfect.
Kind Regards,
Kamil
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
