I have this query can we set up a alert and send 2 separate mails as per the condition in the query .
index=xyz sourcetype=123 Message="Started" (host=host1 OR host=host2 OR host=host3)
| dedup host
| stats count
| where count <=3
One mail if count is < 3 and one mail when count is = 3 .
Is this possible 😐
This can be achieved by passing tokens. Check these 2 links:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/EmailNotificationTokens
Read this:
So, like this:
index=xyz sourcetype=123 Message="Started" (host=host1 OR host=host2 OR host=host3)
| dedup host
| stats count
| where count <=3
| eval recipient=case(count<3, "recipient1@domain.com", count=3, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)
Then when the search is saved as an alert, configure the Send email alert action with the following token in the To recipient field: $result.recipient$
Thank you for your answer, but I have already accepted the above answer 🙂
This can be achieved by passing tokens. Check these 2 links:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/EmailNotificationTokens