Solved: Re: set up a alert and send 2 separate mails as pe...

AdixitSplunk · ‎02-09-2017

I have this query can we set up a alert and send 2 separate mails as per the condition in the query .
index=xyz sourcetype=123 Message="Started" (host=host1 OR host=host2 OR host=host3)
| dedup host
| stats count
| where count <=3
One mail if count is < 3 and one mail when count is = 3 .
Is this possible 😐

varad_joshi · ‎02-09-2017

This can be achieved by passing tokens. Check these 2 links:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Tokens_available_for_emai...

http://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/EmailNotificationTokens

View solution in original post

woodcock · ‎03-02-2017

Read this:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Send_email_to_different_r...

So, like this:

index=xyz sourcetype=123 Message="Started" (host=host1 OR host=host2 OR host=host3) 
| dedup host 
| stats count 
| where count <=3
| eval recipient=case(count<3, "recipient1@domain.com", count=3, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)

Then when the search is saved as an alert, configure the Send email alert action with the following token in the To recipient field: $result.recipient$

AdixitSplunk · ‎03-21-2017

Thank you for your answer, but I have already accepted the above answer 🙂

varad_joshi · ‎02-09-2017

This can be achieved by passing tokens. Check these 2 links:

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Tokens_available_for_emai...

http://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/EmailNotificationTokens

set up a alert and send 2 separate mails as per the condition in the query

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor