Hello,
we are ingesting data on multiple indexes for different departments. we want to create an alert when any index is not receiving logs from host should send and email to specific department mail address. we created a lookup .csv file and mention indexname and email address. below is the query which i am trying to execute but no results.
| tstats latest(_time) as latest where index=* earliest=-6h by host | eval recent = if(latest > relative_time(now(),"-45m"),1,0), realLatest = strftime(latest,"%c") | where recent=0 | outputlookup weblogs-index.csv | stats values(useremail) AS emailToHeader | mvexpand emailToHeader | map search="index | inputlookup weblogs-index.csv | where useremail=\"$emailToHeader$\" | fields - useremail | sendemail sendresults=true inline=true server=\"Your.Value.Here\" from=\"Your.Value.Here\" to=\"$emailToHeader$\" subject=\"Your Subject here: \$name\$\" message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\"" | appendpipe [|inputlookup weblogs-index.csv]
... View more
