If I have a lookup table with the following information in it (see below), how do I send an email if the "event" found is NOT on the list?
For example, what if the event extracted was '%SPANTREE-SP-2-RECV_BAD_TLV'?
error,action,email
SYS-3-PORT_RX_BADCODE,TRUE,some@group.com
SYS-3-PORT_DEVICENOLINK,TRUE,some@group.com
SYS-3-PORT_BADPORT,TRUE,DEFAULT
TTY-3-AUTOCONFIG,TRUE,DEFAULT
ARC22056-4-minor,TRUE,DEFAULT
AUT21097-4-minor,TRUE,DEFAULT
C4K_EBM-4-HOSTFLAPPING,TRUE,DEFAULT
DHCPDBG-4-39,TRUE,DEFAULT
DOT11-4-TKIP_REPLAY,TRUE,some@group.com
DHCP_SNOOPING-4-AGENT_OPERATION_FAILED,TRUE,DEFAULT
props.conf:
[syslog_info]
EXTRACT-cisco_event = (?<error>\%.*-\b([0-4])\-.*?):\s
LOOKUP-foo = cisco_event_error error
transforms.conf
[cisco_event_error]
filename = syslog_alerter.csv
Currently this search finds all events found in the lookup table:
sourcetype="syslog_info" | lookup syslog_alerter.csv error
... View more