Splunk Search

eval shown in my email?

dave0970
Engager

How do i get this search to send the following eval shown in my email? I am getting email now but no result found shown in the email body. Please help!!!

host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002 | table _time, host | eval alert_contact="SysEng" | eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."

Tags (1)
0 Karma

valiquet
Contributor

Configure your saved search to only send email if number of results is > 1

| makeresults
| eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."
| append [ search host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002 
                   | table _time, host 
                   | eval alert_contact="SysEng" ]

dave0970
Engager

Hi valiquet- Does this search required a match alert to happen for us to see the eval in the e-mail body? I set up is equal to 0 to test for now to see if this work.

0 Karma

dave0970
Engager

valiquet- Thank you very much. I will give this search a test and update the same.

0 Karma

deepashri_123
Motivator

Hey dave0970,

Looks like your eval is not a condition but a message to the end user and you can add it in description whereas for alert to trigger you need condition to be satisfied.
Refer this doc below:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/AlertTriggerConditions

Let me know if this helps!!

0 Karma

dave0970
Engager

Hi deepashri, here is the email body, it does not show the "eval" instruction to call syseng and description for the NOC. instead it just shown "No results found" . I believe i am missing something in my search strings. Any ideas will help a lot.


Subject: Splunk Alert: PVO - API Error: PV API Key
Importance: High

There were 0 result(s).
The alert took 68633.408 seconds to run.
Alert: PVO - API Error: PV API Key

View results in Splunk
No results found.

0 Karma

dave0970
Engager

oppps sorry for the large font. Don't know why

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The line of equal signs did it. I changed them to a horizontal rule.

---
If this reply helps you, Karma would be appreciated.
0 Karma

dave0970
Engager

Hi Rich,

do you mind explain little bit more about your comment? or, perhaps edit my search?

host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002 | table _time, host | eval alert_contact="SysEng" | eval alert_description="pvo.common.20002 and PV-API-Key is required and was not provided or is invalid with more than 75 instances in a single minute. NOC to cycle the indicated host. If the issue is still happening, contact SysEng to investigate."

0 Karma

dave0970
Engager

Here is the e-mail body when the alert triggered. The eval instruction suppose to show on right below view result in splunk. but i don't see it.

=========================
Subject: Splunk Alert: PVO - API Error: PV API Key
Importance: High

There were 0 result(s).
The alert took 66618.237 seconds to run.
Alert: PVO - API Error: PV API Key

View results in Splunk

0 Karma

dave0970
Engager

This event search already happen. I just need to know what to put in the search so when the alert comes in email it will shown contact syseng and description what to do. Now it said result not found in the body. The time it happen was 3/7/18.

0 Karma

strive
Influencer

Does your search
host="irprapppvot*" PV-API-Key is required and was not provided or is invalid OR pvo.common.20002
yields at least one result always?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...