How to set an email alert for the results of this search:
sourcetype="rum" u=* |where t_done >10000
I tried as per the email setting procedure, but I did not get the email.
Please say the step-by-step procedure.
HI
You can configure email notifications when you save a search as an alert. You can also configure email notifications for when editing an alert's actions. The procedure is the same in both cases.
After running a search, save the search as an alert and configure email notification settings.
1) Run the search.
2) Select **Save As > Alert.**
3) Provide a Title and other information about the alert.
4) From the Add Actions menu, select Send email.
5) Specify the following:
To, CC, and BCC email recipients.
Specify a comma-separated list of email recipients.
Priority
Enforcement of priority depends on your email client.
Subject
Message
Include
You can include the following items:
Information about the search
Link to the alert
Search string
Trigger condition
Trigger time
Information about search results
Link to results
Inline listing of results, as a table, raw events, or CSV file
Results as a PDF attachment
Results as a CSV attachment
Type
Select HTML & Plain Text (multi-MIME message) or Plain Text
6) Specify other alert actions.
See set up alert actions for more information.
7) Click Save.
to complete what i am saying click on http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification
you can also use Sendemail command to use it see this link :
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Sendemail
You should not send emails to example.com
, use your actual email address to test.
while i running the query
sourcetype="rum" u=* |where t_done >10000 | sendemail to="example.com".
I get this error
command="sendemail", [Errno 11004] getaddrinfo failed while sending mail to: example.com.
what Can i do?
click on the link that i gave you and see example
you must be connected to internet
hi
look at the following example
Send an email notification with a PDF attachment, a message, and raw inline results.
index=_internal | head 5 | sendemail to=example@splunk.com server=mail.example.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true
Make sure you've configured a working email server under Settings -> Server Settings -> Email Settings.
i also done the email setting please say the procedure to get the email in pdf format
Check the PDF box as described here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Configure_email_notificati...