Solved: Email alerts with logics

tsunamii · ‎10-12-2015

For example, I want to accomplish this with only one alert saved search: to send email notification to admin_a if the search returns between 10 and 100 events within 5 mins (or when the search is ran), but to run some additional scripts or send email alert to admin_a and manager, if more than 100 events returned within 5 minutes.

martin_mueller · ‎10-12-2015

There are several things mixed up here, so I'll try to untangle.

First I'll assume you have a search that returns some count field in an event, and you want to alert if count >= 10. To do that, you can either add | where count >= 10 to your search and alert on "search returns an event", or add the where count >= 10 as the alert condition.
If you actually have the events returned from your search, you can instead set the alert condition to "alert if number of events is greater than" and enter your number.

Second, you want to email different people depending on the count. Set your email recipient to $result.recipient$ and add this to your search: ... | eval recipient = if (count < 100, "admin_a@example.com", "admin_a@example.com,manager@example.com")
If you're actually returning events, add this instead: ... | eventstats count | eval if(...)

Third, you want to run a script based on the count, but don't want a second alert. Run the script every time, and let the script abort if the count is below the threshold. If you can't modify your script then create a simple wrapper script to make this decision.

View solution in original post

splunkIT · ‎01-14-2016

This appears to work on splunk 6.3:

"error" | stats count | eval recipient=case(count > 3500, "recipient1@domain.com", count >= 500, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)

AND in the to field you specify:
$result.recipient$

So this says,

if we have > 3500 records then
send to recipient1
else if you have > 500 records
then send to recipient 2
else
do not send any mail (sets recipient to null)

splunkIT · ‎02-19-2016

The latest doc has been updated with this information:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_notification_fr...

martin_mueller · ‎10-12-2015

There are several things mixed up here, so I'll try to untangle.

First I'll assume you have a search that returns some count field in an event, and you want to alert if count >= 10. To do that, you can either add | where count >= 10 to your search and alert on "search returns an event", or add the where count >= 10 as the alert condition.
If you actually have the events returned from your search, you can instead set the alert condition to "alert if number of events is greater than" and enter your number.

Second, you want to email different people depending on the count. Set your email recipient to $result.recipient$ and add this to your search: ... | eval recipient = if (count < 100, "admin_a@example.com", "admin_a@example.com,manager@example.com")
If you're actually returning events, add this instead: ... | eventstats count | eval if(...)

Third, you want to run a script based on the count, but don't want a second alert. Run the script every time, and let the script abort if the count is below the threshold. If you can't modify your script then create a simple wrapper script to make this decision.

Email alerts with logics

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!