Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup Table & Sending Email from within the tables columns

MasterOogway
Communicator
‎01-14-2011 04:10 PM

I have been asked to further enhance the Lookup Table currently in place which allows for RealTime lookups of Cisco Events. The request would be to add a couple columns, one for paging and one for emails. If an 'event' is matched to a 'device' then send a 'page' or 'email' to the appropriate group (see below).

event,action,device,email,page
%PHY-4-EXCESSIVE_ERRORS,TRUE,msp-usr-rtr1,emailperson@blah.com,pager@blah.com

Is this possible, and if yes, how? My current props & transforms.conf are setup to extract 'error' from the incoming syslog and look like this:

props.conf:

[syslog_info]
EXTRACT-cisco_event = (?<error>\%.*-\b([0-4])\-.*?):\s
LOOKUP-foo = cisco_event_error error OUTPUTNEW

transforms.conf:

[cisco_event_error]
filename = syslog_alerter.csv

Any ideas or thoughts on if this has been done or can be done would be appreciated. This would work in conjunction with:

http://answers.splunk.com/questions/10502/lookup-table-only-send-email-if-the-event-is-not-on-the-lo...

MasterOogway

Tags (2)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-14-2011 09:20 PM

The problem with this approach is that for a given saved search, there might be 5 of one type of event that goes to one email recipient, 7 or another type of event that goes to another, and so on.

Splunk's sendemail script is not capable of sending different portions of a saved search result sets to multiple recipients - it would have be invoked at least once per recipient.

There three two alternatives that I can think of:

  • Use a scripted action or hacked version of sendemail.py to sort through the result set of the saved search and send alerts to the right email address based on the values provided by the lookup

  • Set up discreet saved searches for each potential recipient. Each search would look like this:

    email=emailperson@blah.com | sendemail to=emailperson@blah.com <the rest of the opt/args for sendemail>...

Reply

southeringtonp
Motivator
‎03-28-2011 02:31 AM

You might be able to get creative with the 'map' command to generalize the second case. But in any event, it's clearly not a trivial thing to do.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...