Re: How configure an alert to send an email based ...

vinuece2007 · ‎01-13-2017

Hi All

I have a requirement to trigger an alert email per Service in case of failures.
I don't want to create separate alerts for each service.

My search returns below results example -

ServiceName         Status      Time                EmailContact
ABC                 failed  1/13/2017 8.50 am       xyz@mail.com
ABC                 failed  1/13/2017 8.55 am       xyz@mail.com
DEF                 failed  1/13/2017 9.00 am       bcd@mail.com

How to get two emails from Splunk for ServiceName-ABC and ServiceName DEF?

First email should sent to xyz@mail.com with below 2 rows

ServiceName         Status      Time                EmailContact
ABC                 failed  1/13/2017 8.50 am       xyz@mail.com
ABC                 failed  1/13/2017 8.55 am       xyz@mail.com

Second email should sent to bcd@mail.com with below 1 rows

ServiceName         Status      Time                EmailContact
DEF                 failed  1/13/2017 9.00 am       bcd@mail.com

I have tried to use "map" command in the Custom trigger condition but it is not working.
Please tell me the approach to accomplish this. Thanks !!

Regards
Selvaraj

woodcock · ‎01-13-2017

Like this:

Your Base Search Here
| outputlookup MyTempLookup.csv
| stats count by EmailContact
| map maxsearches=9999 search="|inputlookup MyTempLookup.csv
                               | search EmailContact=$EmailContact$
                               | sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"

woodcock · ‎12-27-2019

@ppablo, We could use an admin-accept here, I think.

How configure an alert to send an email based on field values?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...