Create email alert when a particular string/keywor...

navd · ‎06-14-2018

I am having couple of string to look for in log events and generate an alert when the matching string/keyword appears

Following are example keywords:-
ERROR - [] - Failed to create custom account for user
Code: Internal Server Error; Exception:
Internal Server Error; Exception: com.google.search.ts.exception:

So my current search look like this , but I want to know if there is any other way creating alert based on the string/keywords

index="abc" "ERROR - [] - Failed to create custom account for user" OR "Code: Internal Server Error; Exception: " OR "Internal Server Error; Exception: com.google.search.ts.exception: "

amiftah · ‎06-15-2018

Yes, In that case, you should extract the 4 strings in a field, and when you trigger the alert, send your field in your email: $result.yourfield$ , and include this field in the search: index=foo error | table yourfield

amiftah · ‎06-14-2018

I see all the strings contain "error" so maybe if you just save this search : index="abc" error as alert and choose send email as action will do the job..

navd · ‎06-15-2018

But , when I recieve the Email alert is it possible to include only the string that triggered(out of 4 other strings I am having) instead of displaying entire search string in email alert ?

richgalloway · ‎06-14-2018

I would do it the same way.

---
If this reply helps you, Karma would be appreciated.

Create email alert when a particular string/keyword is found in log event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation