Re: group results to be emailed to appropriate sup...

splunkhan · ‎05-13-2019

I'm looking to search for multiple errors and exceptions across application logs for across multiple servers.

using a host_email.csv lookup table containing:
host, email_address

How can group these by error/exception type per server send email to corresponding team based on server. I would like to include in my email alert the alert message, server, and count. My search is not working:

| lookup host_email.csv
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address

MuS · ‎05-13-2019

Hi splunkhan,

untested and just making this up, but something like this should work:

| lookup host_email.csv 
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address
| map maxsearches=0 search="stats count 
| fields - count 
| sendemail from=buttercup@splunk.com to=$action.email$ subject=$alert.subject$ message=$alert.message$ sendresults=true"

You might need to modify to work correct, and read about the sendemail command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail and the map command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Hope this helps ...

cheers, MuS

group results to be emailed to appropriate support team based on server

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!