Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Log data Enrichment in notifications

maheswar6523
New Member
‎07-19-2018 03:50 AM

I have logs loaded to splunk, I created few alerts to send the error email notifications
till this it is working fine.., only one bottleneck here is they don't want whole error msg
in the email instead then need only meaning ful msg say example:"error_Num:4006 "Duplicate
document created" like this.., before that error_Num:4006 "this is occurred due to the user created
a document with the same name at logs c:/apps/oop"

I created a .csv file and uploaded with 2 perameters:
Error_num, Desc
4006,Duplicate document created
9002,Invalid login

When i user in the serach as |Inputlookup Error_num Outputlookup Desc
this is not working .., pls help in this

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-19-2018 07:51 AM

Like this

Your Existing Search For Alerts Here
| lookup YourLookupFileHere.csv Error_num OUTPUT Desc
0 Karma
Reply

renjith_nair
Legend
‎07-19-2018 06:51 AM

if the error code and the message are already part of your event, then you could just extract the information and send only required field.

For e.g.

| makeresults |eval string="this is occurred due to the user created a document with the same name at logs c:/apps/oop error_Num:4006 Duplicate document created" 
|rex field=string "^(?:[^:\n]*:){2}\d+\s+(?P<message>.+)" |table message

You shall use the Splunk Field Extractor to extract the messages

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...