Splunk Search

How to send email to different groups based on the criteria?

Path Finder

I would like to send emails to different groups based on number of events returned for a search.

Query:

index=xyz (host=server1) (sc_status=2*) (sc_status!=400*)  
| sort - _time 
| eval Time=strftime(_time, "%m/%d/%y %I:%M:%S %p") 
| eventstats count as TOTAL_COUNT 
| eval recipients = case(TOTAL_COUNT > 100, "qwerty1@abc.com,qwerty2@abc.com,qwerty3@abc.com", TOTAL_COUNT >= 50, "qwerty4@abc.com,qwerty5@abc.com,qwerty5@abc.com", 1==1, null()) 
| table Time,host,c_ip,cs_uri_stem,s_ip,s_port,sc_status,sc_substatus,time_taken
| sendemail to="qwerty1@abc.com,qwerty2@abc.com,qwerty3@abc.com" server=server subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=table sendpdf=false

This is working fine. But, I am not able to use the recipients custom field created based on the thresholds. I would like to use something like

| sendemail **to=$recipients$** server=server subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=table sendpdf=false
0 Karma

SplunkTrust
SplunkTrust

The sendresults application should be a perfect fit for your scenario.

0 Karma

Path Finder

Thank you for the help.

Everything is good except that I am not able to define the subject of the alert dynamically.

So, can you please let me know if there is a way I can remove the recipient field from the table of the alert and use $result.recipient$ in the to field of the alert.

I am not be able to send the alert using $result.recipient$ but the only issue is if I mention it in the table it is chatty to read the alert. If I remove it by using | fields - recipient then the alert isn't being triggered to the corresponding recipients.

Please help me.

0 Karma