How to set the search result as an email alert?

rck · ‎02-06-2016

How to set an email alert for the results of this search:

sourcetype="rum" u=*  |where t_done >10000

I tried as per the email setting procedure, but I did not get the email.
Please say the step-by-step procedure.

chimell · ‎02-08-2016

HI

You can configure email notifications when you save a search as an alert. You can also configure email notifications for when editing an alert's actions. The procedure is the same in both cases.

After running a search, save the search as an alert and configure email notification settings.

1) Run the search.
2) Select **Save As > Alert.**
3) Provide a Title and other information about the alert.
4) From the Add Actions menu, select Send email.

   5) Specify the following:

To, CC, and BCC email recipients.
Specify a comma-separated list of email recipients.
Priority
Enforcement of priority depends on your email client.
Subject
Message
Include
You can include the following items:

Information about the search
  Link to the alert
  Search string
  Trigger condition
  Trigger time

Information about search results
  Link to results
  Inline listing of results, as a table, raw events, or CSV file
  Results as a PDF attachment
  Results as a CSV attachment
Type
Select HTML & Plain Text (multi-MIME message) or Plain Text


6) Specify other alert actions.

See set up alert actions for more information.

7) Click Save.

to complete what i am saying click on http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification

you can also use Sendemail command to use it see this link :
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Sendemail

martin_mueller · ‎02-16-2016

You should not send emails to example.com, use your actual email address to test.

rck · ‎02-16-2016

while i running the query
sourcetype="rum" u=* |where t_done >10000 | sendemail to="example.com".
I get this error
command="sendemail", [Errno 11004] getaddrinfo failed while sending mail to: example.com.
what Can i do?

chimell · ‎02-16-2016

click on the link that i gave you and see example
you must be connected to internet

chimell · ‎03-14-2016

hi
look at the following example

Send an email notification with a PDF attachment, a message, and raw inline results.

index=_internal | head 5 | sendemail to=example@splunk.com server=mail.example.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true

martin_mueller · ‎02-06-2016

Make sure you've configured a working email server under Settings -> Server Settings -> Email Settings.

rck · ‎02-06-2016

i also done the email setting please say the procedure to get the email in pdf format

martin_mueller · ‎02-06-2016

Check the PDF box as described here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Configure_email_notificati...