group results to be emailed to appropriate support...

splunkhan · ‎05-13-2019

I'm looking to search for multiple errors and exceptions across application logs for across multiple servers.

using a host_email.csv lookup table containing:
host, email_address

How can group these by error/exception type per server send email to corresponding team based on server. I would like to include in my email alert the alert message, server, and count. My search is not working:

| lookup host_email.csv
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address

MuS · ‎05-13-2019

Hi splunkhan,

untested and just making this up, but something like this should work:

| lookup host_email.csv 
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address
| map maxsearches=0 search="stats count 
| fields - count 
| sendemail from=buttercup@splunk.com to=$action.email$ subject=$alert.subject$ message=$alert.message$ sendresults=true"

You might need to modify to work correct, and read about the sendemail command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail and the map command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Hope this helps ...

cheers, MuS

group results to be emailed to appropriate support team based on server

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann