Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send hard coded message as an email from Splunk

devsru
Explorer
‎12-19-2024 07:26 AM

Hi Everyone,

I need to send a hard coded message to the users just before every daylight savings of the year saying "Daylight savings is scheduled tomorrow, please be alerted " and i don't want to use any index for the that but just hard coded message. Is it possible to create an alert based on the requirement.

Labels (5)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-21-2024 12:41 PM

Alerts are based on searches. Searches do _not_ have to be based on indexes. You could event do a repeated daily search to detect the DST change. But the question is why use Splunk for it in the first place.

0 Karma
Reply

luizlimapg
Path Finder
‎12-19-2024 09:35 AM

Hi @devsru,

You can use makeresults for that:

| makeresults
| eval msg="Daylight savings is scheduled tomorrow, please be alerted "
| fields - _time

Create an cron scheduled alert based on this SPL, triggering when the results are more than 0, and configure the 'Send Email' alert action.

Reply

dural_yyz
Motivator
‎12-19-2024 09:30 AM 
| makeresults count=365 
| streamstats count 
| eval DayOfYear=strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%Y-%m-%d") 
| eval FirstOfMonth=strftime(strptime(DayOfYear, "%Y-%m-%d"),"%Y-%m-01") 
| eval Sunday=strftime(relative_time(strptime(FirstOfMonth, "%Y-%m-%d"),"+2w@w0"), "%Y-%m-%d")
| eval Match=if((Sunday=DayOfYear AND (strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="03" OR strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="11") ),"TRUE","FALSE")
| table _time DayOfYear FirstOfMonth Sunday Match
| search Match=TRUE

This search will find the second Sunday of every March and November for the current year.  You actually need to identify if today is the day before in order to trigger an alert which you can program to send an email.

There might be easier methods to identify the DST change but my research has not found it yet this morning.  Also this assumes the DST change is for the Americas, other portions of the globe may not share the same DST days.

Reply

devsru
Explorer
‎12-20-2024 12:49 AM

Thanks for the query. I need to send an alert a day before daylight savings in europe i.e Sun, Mar 30, 2025 – Sun, Oct 26, 2025

Could you please tell me how to update this query. Lets say run at 2 PM the day before with the message.

0 Karma
Reply

dural_yyz
Motivator
‎12-21-2024 12:36 PM
@devsru wrote:

Thanks for the query. I need to send an alert a day before daylight savings in europe i.e Sun, Mar 30, 2025 – Sun, Oct 26, 2025

Could you please tell me how to update this query. Lets say run at 2 PM the day before with the message.

Ok - so am I to assume the rule is the 4th Sunday of those months or is this more difficult like the last Sunday of those months.  There needs to be a rule or common theme to identify each year in the future, unless a governing body just randomly decides each year then I can't script for that.

| eval Sunday=strftime(relative_time(strptime(FirstOfMonth, "%Y-%m-%d"),"+2w@w0"), "%Y-%m-%d")
| eval Match=if((Sunday=DayOfYear AND (strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="03" OR strftime(round(relative_time(now(), "-0y@y"))+((count-1)*86400),"%m")=="11") ),"TRUE","FALSE")

The eval for Sunday=... contains '+2w@w0' which indicates the second week @ weekday of 0 which in this case is Sunday (1=Monday, etc....).

The eval for Match= has many AND OR statements but the '==03' and '==11' just needs to be updated to match your month in question.

The entire search I gave you will only identify the two days where DST changes occur.  You need to add an additional calculation to say is today or now() the day before either of the DST change results.  If TRUE then result == 1, if FALSE then result == 0 (result being any variable name of your choosing).  Once you have that search working and verified you can setup an Alert action that results in email delivery if result value > 0.  That alert action search can be schedule to run every Saturday for every week.

Set it once and forget about it as it should work year after year.  That said good maintenance is to on a reoccurring bases verify the search still matches your local DST rules and that destination mailing list still exists and contains the appropriate user base.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...