Solved: Send email on Notable Event close action

Splunkometry88 · ‎09-02-2020

Hi Team

I am looking to send an email alert once the notable event is closed, I can send an email when the notable event is created but I cannot seem to find a way to send an email when the notable event is closed

Jhunter · ‎09-04-2020

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5.

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv)

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

View solution in original post

Jhunter · ‎09-04-2020

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5.

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv)

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

Send email on Notable Event close action

incident review

notable event

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!