Splunk Log data Enrichment in notifications

maheswar6523 · ‎07-19-2018

I have logs loaded to splunk, I created few alerts to send the error email notifications
till this it is working fine.., only one bottleneck here is they don't want whole error msg
in the email instead then need only meaning ful msg say example:"error_Num:4006 "Duplicate
document created" like this.., before that error_Num:4006 "this is occurred due to the user created
a document with the same name at logs c:/apps/oop"

I created a .csv file and uploaded with 2 perameters:
Error_num, Desc
4006,Duplicate document created
9002,Invalid login

When i user in the serach as |Inputlookup Error_num Outputlookup Desc
this is not working .., pls help in this

woodcock · ‎07-19-2018

Like this

Your Existing Search For Alerts Here
| lookup YourLookupFileHere.csv Error_num OUTPUT Desc

renjith_nair · ‎07-19-2018

if the error code and the message are already part of your event, then you could just extract the information and send only required field.

For e.g.

| makeresults |eval string="this is occurred due to the user created a document with the same name at logs c:/apps/oop error_Num:4006 Duplicate document created" 
|rex field=string "^(?:[^:\n]*:){2}\d+\s+(?P<message>.+)" |table message

You shall use the Splunk Field Extractor to extract the messages

---
What goes around comes around. If it helps, hit it with Karma 🙂

Splunk Log data Enrichment in notifications

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

Splunk Log data Enrichment in notifications

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant