How do i get this search to send the following eval shown in my email? I am getting email now but no result found shown in the email body. Please help!!!
host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002 | table _time, host | eval alert_contact="SysEng" | eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."
Configure your saved search to only send email if number of results is > 1
| makeresults
| eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."
| append [ search host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002
| table _time, host
| eval alert_contact="SysEng" ]
Hi valiquet- Does this search required a match alert to happen for us to see the eval in the e-mail body? I set up is equal to 0 to test for now to see if this work.
valiquet- Thank you very much. I will give this search a test and update the same.
Hey dave0970,
Looks like your eval is not a condition but a message to the end user and you can add it in description whereas for alert to trigger you need condition to be satisfied.
Refer this doc below:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions
Let me know if this helps!!
Hi deepashri, here is the email body, it does not show the "eval" instruction to call syseng and description for the NOC. instead it just shown "No results found" . I believe i am missing something in my search strings. Any ideas will help a lot.
Subject: Splunk Alert: PVO - API Error: PV API Key
Importance: High
There were 0 result(s).
The alert took 68633.408 seconds to run.
Alert: PVO - API Error: PV API Key
View results in Splunk
No results found.
oppps sorry for the large font. Don't know why
The line of equal signs did it. I changed them to a horizontal rule.
Hi Rich,
host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002 | table _time, host | eval alert_contact="SysEng" | eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."
Here is the e-mail body when the alert triggered. The eval instruction suppose to show on right below view result in splunk. but i don't see it.
=========================
Subject: Splunk Alert: PVO - API Error: PV API Key
Importance: High
There were 0 result(s).
The alert took 66618.237 seconds to run.
Alert: PVO - API Error: PV API Key
View results in Splunk
This event search already happen. I just need to know what to put in the search so when the alert comes in email it will shown contact syseng and description what to do. Now it said result not found in the body. The time it happen was 3/7/18.
Does your search
host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002
yields at least one result always?