Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup Table & Sending Email from within the tables columns

MasterOogway
Communicator
‎01-14-2011 04:10 PM

I have been asked to further enhance the Lookup Table currently in place which allows for RealTime lookups of Cisco Events. The request would be to add a couple columns, one for paging and one for emails. If an 'event' is matched to a 'device' then send a 'page' or 'email' to the appropriate group (see below).

event,action,device,email,page
%PHY-4-EXCESSIVE_ERRORS,TRUE,msp-usr-rtr1,emailperson@blah.com,pager@blah.com

Is this possible, and if yes, how? My current props & transforms.conf are setup to extract 'error' from the incoming syslog and look like this:

props.conf:

[syslog_info]
EXTRACT-cisco_event = (?<error>\%.*-\b([0-4])\-.*?):\s
LOOKUP-foo = cisco_event_error error OUTPUTNEW

transforms.conf:

[cisco_event_error]
filename = syslog_alerter.csv

Any ideas or thoughts on if this has been done or can be done would be appreciated. This would work in conjunction with:

http://answers.splunk.com/questions/10502/lookup-table-only-send-email-if-the-event-is-not-on-the-lo...

MasterOogway

Tags (2)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-14-2011 09:20 PM

The problem with this approach is that for a given saved search, there might be 5 of one type of event that goes to one email recipient, 7 or another type of event that goes to another, and so on.

Splunk's sendemail script is not capable of sending different portions of a saved search result sets to multiple recipients - it would have be invoked at least once per recipient.

There three two alternatives that I can think of:

  • Use a scripted action or hacked version of sendemail.py to sort through the result set of the saved search and send alerts to the right email address based on the values provided by the lookup

  • Set up discreet saved searches for each potential recipient. Each search would look like this:

    email=emailperson@blah.com | sendemail to=emailperson@blah.com <the rest of the opt/args for sendemail>...

Reply

southeringtonp
Motivator
‎03-28-2011 02:31 AM

You might be able to get creative with the 'map' command to generalize the second case. But in any event, it's clearly not a trivial thing to do.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...