Reporting

Alert Sending Email based on a if condition

hiteshkanchan
Communicator

I need to send an Email based on a if condition. Something like "if (value > 10) send an email". But I am not able to figure out how to do this.

I am trying this with eval. But this only assigns the value to a variable(LoginQuality).

"eval LoginQuality= if (AverageLoginTime >10, "More", "Less")".

I need to make change/modify this statement to send an email depending on the condition.

Can someone help me with this?

Tags (3)
0 Karma

romantercero
Path Finder

You can do this with a sub search. Check this out:

index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as Hourly_Indexed_GB | eval test=if(Hourly_Indexed_GB > 20.3 ,[| search index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as GB | table GB | sendemail to="email@somewhere.com" format=html subject=Splunk_License_warn server=Your_Mail_Server sendresults=true],"0" )

0 Karma

romantercero
Path Finder

The gist of this is to include an if statement and place a sub search on the true or false clause of the if. The sub search uses the sendmail command to send you the results.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

If I understand your goal here, it's possible that an "advanced conditional alert" will suit your needs. Check out http://docs.splunk.com/Documentation/Splunk/4.2.3/User/SchedulingSavedSearches and search for the section "Define an advanced conditional alert".

I think that using a conditional alert of the form

search LoginQuality > 10

should get you close to what you want...

dwaddle
SplunkTrust
SplunkTrust

You need to configure Splunk with a proper connection to a valid SMTP server. I doubt that proxy.com:8080 is a valid SMTP server. You need to make sure your basic SMTP connection is working before trying to move on to conditional alerts and stuff.

0 Karma

hiteshkanchan
Communicator

I am trying this command --> sendemail to="user@domain.com" sendresults=true server="proxy.com:8080" and it gives the error like -->
"command="sendemail", Connection unexpectedly closed while sending mail to: user@domain.com"

0 Karma

hiteshkanchan
Communicator

Yes I am trying the same, but currently I am getting some error. "command="sendemail", [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: hitesh@domain.com"".

Looks like some configuration issue. Kindly let me know if anyone has resolved this issue

0 Karma

fk319
Builder

Under Manager/Searches and Reports you can schedule your e-mails. This is a feature that veries quite a bit between version. The later versions have better control over this.

0 Karma

fk319
Builder

I have not personaly done this, but an other has on our system. I would expect that sendmail [on a unix system] must be accepting request, well at leat on 127.0.0.1

0 Karma

hiteshkanchan
Communicator

Yes right, I am doing the same thing and getting some error like
command="sendemail", [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond while sending mail to: "username@mail.com"

0 Karma

fk319
Builder

there is a sendmail command,
| eval send = if(AverageLoginTime>10,true,false)
| search send=true
| sendmail {arg list}
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Sendemail

0 Karma

hiteshkanchan
Communicator

If sending mail based on condition like "if (AvearageLoginTime > 10) send an email" is not possible, then I tried using Manager/Searches and Reports.
But it does not seem to send any mails. Any idea if I need to do any configuration.

0 Karma

hiteshkanchan
Communicator

I want to do this either from the search command or from a python script.

From the search query/command, I get the AverageLoginTime value and based on this value I need to send the mail.

So I am looking for some command like "if (AvearageLoginTime > 10) send an email"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...