Reporting

Alert Sending Email based on a if condition

Communicator

I need to send an Email based on a if condition. Something like "if (value > 10) send an email". But I am not able to figure out how to do this.

I am trying this with eval. But this only assigns the value to a variable(LoginQuality).

"eval LoginQuality= if (AverageLoginTime >10, "More", "Less")".

I need to make change/modify this statement to send an email depending on the condition.

Can someone help me with this?

Tags (3)
0 Karma

Path Finder

You can do this with a sub search. Check this out:

index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as Hourly_Indexed_GB | eval test=if(Hourly_Indexed_GB > 20.3 ,[| search index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as GB | table GB | sendemail to="email@somewhere.com" format=html subject=Splunk_License_warn server=Your_Mail_Server sendresults=true],"0" )

0 Karma

Path Finder

The gist of this is to include an if statement and place a sub search on the true or false clause of the if. The sub search uses the sendmail command to send you the results.

0 Karma

SplunkTrust
SplunkTrust

If I understand your goal here, it's possible that an "advanced conditional alert" will suit your needs. Check out http://docs.splunk.com/Documentation/Splunk/4.2.3/User/SchedulingSavedSearches and search for the section "Define an advanced conditional alert".

I think that using a conditional alert of the form

search LoginQuality > 10

should get you close to what you want...

SplunkTrust
SplunkTrust

You need to configure Splunk with a proper connection to a valid SMTP server. I doubt that proxy.com:8080 is a valid SMTP server. You need to make sure your basic SMTP connection is working before trying to move on to conditional alerts and stuff.

0 Karma

Communicator

I am trying this command --> sendemail to="user@domain.com" sendresults=true server="proxy.com:8080" and it gives the error like -->
"command="sendemail", Connection unexpectedly closed while sending mail to: user@domain.com"

0 Karma

Communicator

Yes I am trying the same, but currently I am getting some error. "command="sendemail", [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: hitesh@domain.com"".

Looks like some configuration issue. Kindly let me know if anyone has resolved this issue

0 Karma

Builder

Under Manager/Searches and Reports you can schedule your e-mails. This is a feature that veries quite a bit between version. The later versions have better control over this.

0 Karma

Builder

I have not personaly done this, but an other has on our system. I would expect that sendmail [on a unix system] must be accepting request, well at leat on 127.0.0.1

0 Karma

Communicator

Yes right, I am doing the same thing and getting some error like
command="sendemail", [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond while sending mail to: "username@mail.com"

0 Karma

Builder

there is a sendmail command,
| eval send = if(AverageLoginTime>10,true,false)
| search send=true
| sendmail {arg list}
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Sendemail

0 Karma

Communicator

If sending mail based on condition like "if (AvearageLoginTime > 10) send an email" is not possible, then I tried using Manager/Searches and Reports.
But it does not seem to send any mails. Any idea if I need to do any configuration.

0 Karma

Communicator

I want to do this either from the search command or from a python script.

From the search query/command, I get the AverageLoginTime value and based on this value I need to send the mail.

So I am looking for some command like "if (AvearageLoginTime > 10) send an email"

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!