Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup Table & Sending Email from within the tables columns

MasterOogway
Communicator
‎01-14-2011 04:10 PM

I have been asked to further enhance the Lookup Table currently in place which allows for RealTime lookups of Cisco Events. The request would be to add a couple columns, one for paging and one for emails. If an 'event' is matched to a 'device' then send a 'page' or 'email' to the appropriate group (see below).

event,action,device,email,page
%PHY-4-EXCESSIVE_ERRORS,TRUE,msp-usr-rtr1,emailperson@blah.com,pager@blah.com

Is this possible, and if yes, how? My current props & transforms.conf are setup to extract 'error' from the incoming syslog and look like this:

props.conf:

[syslog_info]
EXTRACT-cisco_event = (?<error>\%.*-\b([0-4])\-.*?):\s
LOOKUP-foo = cisco_event_error error OUTPUTNEW

transforms.conf:

[cisco_event_error]
filename = syslog_alerter.csv

Any ideas or thoughts on if this has been done or can be done would be appreciated. This would work in conjunction with:

http://answers.splunk.com/questions/10502/lookup-table-only-send-email-if-the-event-is-not-on-the-lo...

MasterOogway

Tags (2)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-14-2011 09:20 PM

The problem with this approach is that for a given saved search, there might be 5 of one type of event that goes to one email recipient, 7 or another type of event that goes to another, and so on.

Splunk's sendemail script is not capable of sending different portions of a saved search result sets to multiple recipients - it would have be invoked at least once per recipient.

There three two alternatives that I can think of:

  • Use a scripted action or hacked version of sendemail.py to sort through the result set of the saved search and send alerts to the right email address based on the values provided by the lookup

  • Set up discreet saved searches for each potential recipient. Each search would look like this:

    email=emailperson@blah.com | sendemail to=emailperson@blah.com <the rest of the opt/args for sendemail>...

Reply

southeringtonp
Motivator
‎03-28-2011 02:31 AM

You might be able to get creative with the 'map' command to generalize the second case. But in any event, it's clearly not a trivial thing to do.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...