Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set a custom alert condition to send multiple email alerts with different results based on a certain field?

Roopaul
Explorer
‎09-04-2015 03:45 PM

I created a search which displays below results:

Server   component   Proxy   Count
   A        AB        ABC      2
   A        AB        ABD      4
   A        AC        ABC      2

I need to send an email for each component i.e.
Email 1:

Server   component   Proxy   Count
   A        AB        ABC      2
   B        AB        ABD      4

Email 2:

Server   component   Proxy   Count
   A        AC        ABC      2

Can someone help?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎09-08-2015 11:19 AM

What if you tried something like this:

| stats list(Server) as Server, list(Proxy) as Proxy, list(Count) as Count by Component

That would give you something like this as a result, where each component has its own row (this may not display correctly below, but hopefully you get the idea):

Component   Server  Proxy   Count
AB         A         ABC      2
             B       ABD      4
AC         A         ABC      2

Now you can save this as an alert and fire "For each result". Would that work for you?

View solution in original post

Reply
Solved! Jump to solution
Solution

justinatpnnl
Communicator
‎09-08-2015 11:19 AM

What if you tried something like this:

| stats list(Server) as Server, list(Proxy) as Proxy, list(Count) as Count by Component

That would give you something like this as a result, where each component has its own row (this may not display correctly below, but hopefully you get the idea):

Component   Server  Proxy   Count
AB         A         ABC      2
             B       ABD      4
AC         A         ABC      2

Now you can save this as an alert and fire "For each result". Would that work for you?

Reply
Solved! Jump to solution

jamestoan
New Member
‎09-21-2015 11:58 AM

For this described method, how do I make each multivalued field show up on a new line instead of bunched together on one line in an email alert with an Inline Table?

For example, I want the table in the email to show up like the table described in the answer. However, in my emails, I'm getting a table with "A" and "B" showing up as "A B" on one line instead of a separate row for server "B".

0 Karma
Reply
Solved! Jump to solution

Roopaul
Explorer
‎09-21-2015 12:42 PM

Yes, we also faced the same issue and it looks like a limitation with splunk. In the email the field size is determined as per the width of the column heading. So what we did is we manipulated the column width by adding spaces to the column name (it should be higher than the result's highest length):
For eg.
|eval server= server." "|

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

Roopaul
Explorer
‎09-08-2015 11:25 AM

@justinatpnnl

this is great. Yes this will defintely work for me. I was unaware of "list" argument and was using "values". Thanks a lot!!

0 Karma
Reply
Solved! Jump to solution

justinatpnnl
Communicator
‎09-05-2015 02:18 PM

Do you need to send to different email addresses based on the component? Or just fire separate emails but all to the same address?

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎09-04-2015 04:26 PM

Hi @Roopaul,
Here is what I would suggest:
1) Set up scheduled reports that run this query for each component (not sure how many components you anticipate)
2) Set up an email action for those reports so that you get emails when the scheduled report is done. You can include information from the search results in the alert emails.

Here is some documentation on using scheduled reports:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Schedulereports

Hope this helps! Let me know if not and we can continue discussing.

All best,
@frobinson_splunk

Reply
Solved! Jump to solution

Roopaul
Explorer
‎09-08-2015 10:34 AM

@frobinson_splunk
I am doing scheduled reports for this alert. But my requirement is I want to send an email based on the output of the query (see my example above).

@justinatpnnl - The recipents are going to be the same. the email content will vary based on the output as i mentioned above.

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎09-04-2015 04:09 PM

Hi @Roopaul,
I'm a tech writer here at Splunk and I work on alerting documentation. I am looking into this and will post some documentation resources that should help. I'll report back shortly!
All best,
@frobinson_splunk

0 Karma
Reply
Solved! Jump to solution

miguel1423
Explorer
‎02-11-2022 02:16 AM

Hello,

 

I'm looking for the same use case, have you find an solution for that ? 

 

Regards,

 

0 Karma
Reply
Solved! Jump to solution

Roopaul
Explorer
‎09-04-2015 04:16 PM

Great. That will be really helpful. Looking forward to it.

Do you have any high level date on when this will be available as i am working on an urgent requirement.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...