Splunk Enterprise
Highlighted

How do you email alerts for 50+ different systems and users?

Communicator
OrganizationSystem Scan Due  Dateemail of SA
ABCJack7-Feb-21jack@email.com
ABCJill9-May-20jill@email.com
123BobUnspecifiedbob@email.com
123AliceUnspecifiedalice@email.com
456James10-Jan-21james@email.com

 

| inputlookup scan_due_date.csv
| eval date = strptime('Scan Date', "%d-%b-%Y")
| eval duedate = if(isnull(date) OR date="", "Unspecified", date)
| eval status=case(duedate >= now(),"Not Expired",duedate="Unspecified",duedate true(),"Overdue")
| fields date duedate status
| stats count by status

I am trying to set up email alerting for systems, the above table and search work to show which systems are passed or current their scan date. I want to make an alert for each system that is overdue for their scan date or Unspecified, without having to write an alert for each individual system.  Each individual system has their own unique email. 

Is there a way to write an eval statement that will look at the status field and email the system owner that the system is overdue or Unspecified without having to write out 50 different eval statements for each system email to generate an alert?

Thanks!

Labels (2)
Tags (3)
0 Karma
Highlighted

Re: How do you email alerts for 50+ different systems and users?

Communicator

@UMDTERPS 

use map along with sendemail command to send alerts.

base search generating results | map search="...| sendemail to="$email$""

0 Karma
Highlighted

Re: How do you email alerts for 50+ different systems and users?

Communicator

@anilchaithu 

| inputlookup scan_due_date.csv 
| eval date = strptime('Scan Date', "%d-%b-%Y") 
| eval duedate = if(isnull(date) OR date="", "Unspecified", date) 
| eval status=case(duedate >= now(),"Not Expired",duedate="Unspecified",duedate true(),"Overdue") 
| search status=Unpecified OR status=Overdue 
| map [| sendemail to="$email$" subject= Alert - Shame on you! Your System Scan is Either Overdue or Date Unspecified" from=bob@mail.com message="Shame!" ] 

 

 


When run the search I get "0 results found." I'm assuming it has to do with the sub-search data not getting into the map command?  How do I get the search above into the map command?

 

| map search= "| inputlookup scan_due_date.csv
| eval date = strptime('Scan Date', "%d-%b-%Y")
| eval duedate = if(isnull(date) OR date="", "Unspecified", date)
| eval status=case(duedate >= now(),"Not Expired",duedate="Unspecified",duedate true(),"Overdue")
| search status=Unpecified OR status=Overdue
| sendemail to="$email$" subject= Alert - Shame on you! Your System Scan is Either Overdue or Date Unspecified" from=bob@mail.com message="Shame!""

 


If do it similar to what you have in your spl, none of commands highlight and the search won't run. 

Any ideas?  Thanks!

0 Karma
Highlighted

Re: How do you email alerts for 50+ different systems and users?

Communicator

@UMDTERPS 

Do you have "email" field in your base search? You should have email field in your query. If the field name is not email, Please change the token on map search command accordingly. The output for this search query will be zero. 

The syntax is not correct in your query. Its not a sub search. I guess I was not clear earlier. Try this 

| inputlookup scan_due_date.csv 
| eval date = strptime('Scan Date', "%d-%b-%Y") 
| eval duedate = if(isnull(date) OR date="", "Unspecified", date) 
| eval status=case(duedate >= now(),"Not Expired",duedate="Unspecified",duedate true(),"Overdue") 
| search status=Unpecified OR status=Overdue 
| map search="| sendemail to="$email$" subject= "Alert - Shame on you! Your System Scan is Either Overdue or Date Unspecified" from="bob@mail.com" message="Shame!" "

 

Hope this helps.

0 Karma
Highlighted

Re: How do you email alerts for 50+ different systems and users?

SplunkTrust
SplunkTrust

sendresults (splunkbase) can also do this...and it's a nicer alternative to map in many cases...

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.