Solved: Is there a way to send an alert email whenever a l...

Priya312 · ‎06-28-2016

Hello,

Is there is any way to send email whenever there is a change in a lookup?
I have a report which updates the lookup whenever there is a breach in threshold. I wanted to send an email whenever that lookup gets updated. Is there any way to do that?

woodcock · ‎06-29-2016

You can schedule a search that uses inputlookup to copy the file and compare it to the a copy. Whenever what you read that the original is different from the copy, send an email, then update the copy with outputlookup to contain the updated original's data. This can all be done in a single search using sendemail.

View solution in original post

woodcock · ‎06-29-2016

You can schedule a search that uses inputlookup to copy the file and compare it to the a copy. Whenever what you read that the original is different from the copy, send an email, then update the copy with outputlookup to contain the updated original's data. This can all be done in a single search using sendemail.

Priya312 · ‎06-30-2016

Thanks woodcock. It worked..

woodcock · ‎06-30-2016

For benefit of everyone, please share the details of your solution. I am curious whether you got it in 1 combined search or 2.

renjith_nair · ‎06-28-2016

You can watch the file and alert whenever it changes. But why don't you do at the source itself. ie: since you are running a report/scheduled search to update the lookup, include this email alert part of your report itself. For eg: If the report returns any result , create an action to send an alert. Does this work for you?

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Emailnotification

---
What goes around comes around. If it helps, hit it with Karma 🙂

Is there a way to send an alert email whenever a lookup is updated?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases