Reporting

Alert Sending Email based on a if condition

hiteshkanchan
Communicator

I need to send an Email based on a if condition. Something like "if (value > 10) send an email". But I am not able to figure out how to do this.

I am trying this with eval. But this only assigns the value to a variable(LoginQuality).

"eval LoginQuality= if (AverageLoginTime >10, "More", "Less")".

I need to make change/modify this statement to send an email depending on the condition.

Can someone help me with this?

Tags (3)
0 Karma

romantercero
Path Finder

You can do this with a sub search. Check this out:

index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as Hourly_Indexed_GB | eval test=if(Hourly_Indexed_GB > 20.3 ,[| search index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as GB | table GB | sendemail to="email@somewhere.com" format=html subject=Splunk_License_warn server=Your_Mail_Server sendresults=true],"0" )

0 Karma

romantercero
Path Finder

The gist of this is to include an if statement and place a sub search on the true or false clause of the if. The sub search uses the sendmail command to send you the results.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

If I understand your goal here, it's possible that an "advanced conditional alert" will suit your needs. Check out http://docs.splunk.com/Documentation/Splunk/4.2.3/User/SchedulingSavedSearches and search for the section "Define an advanced conditional alert".

I think that using a conditional alert of the form

search LoginQuality > 10

should get you close to what you want...

dwaddle
SplunkTrust
SplunkTrust

You need to configure Splunk with a proper connection to a valid SMTP server. I doubt that proxy.com:8080 is a valid SMTP server. You need to make sure your basic SMTP connection is working before trying to move on to conditional alerts and stuff.

0 Karma

hiteshkanchan
Communicator

I am trying this command --> sendemail to="user@domain.com" sendresults=true server="proxy.com:8080" and it gives the error like -->
"command="sendemail", Connection unexpectedly closed while sending mail to: user@domain.com"

0 Karma

hiteshkanchan
Communicator

Yes I am trying the same, but currently I am getting some error. "command="sendemail", [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: hitesh@domain.com"".

Looks like some configuration issue. Kindly let me know if anyone has resolved this issue

0 Karma

fk319
Builder

Under Manager/Searches and Reports you can schedule your e-mails. This is a feature that veries quite a bit between version. The later versions have better control over this.

0 Karma

fk319
Builder

I have not personaly done this, but an other has on our system. I would expect that sendmail [on a unix system] must be accepting request, well at leat on 127.0.0.1

0 Karma

hiteshkanchan
Communicator

Yes right, I am doing the same thing and getting some error like
command="sendemail", [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond while sending mail to: "username@mail.com"

0 Karma

fk319
Builder

there is a sendmail command,
| eval send = if(AverageLoginTime>10,true,false)
| search send=true
| sendmail {arg list}
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Sendemail

0 Karma

hiteshkanchan
Communicator

If sending mail based on condition like "if (AvearageLoginTime > 10) send an email" is not possible, then I tried using Manager/Searches and Reports.
But it does not seem to send any mails. Any idea if I need to do any configuration.

0 Karma

hiteshkanchan
Communicator

I want to do this either from the search command or from a python script.

From the search query/command, I get the AverageLoginTime value and based on this value I need to send the mail.

So I am looking for some command like "if (AvearageLoginTime > 10) send an email"

0 Karma
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...