Solved: Send email on Notable Event close action

Splunkometry88 · ‎09-02-2020

Hi Team

I am looking to send an email alert once the notable event is closed, I can send an email when the notable event is created but I cannot seem to find a way to send an email when the notable event is closed

Jhunter · ‎09-04-2020

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5.

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv)

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

View solution in original post

Jhunter · ‎09-04-2020

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5.

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv)

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

Send email on Notable Event close action

incident review

notable event

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!