How to customize our alert subject based on a cert...

splunker9999 · ‎07-07-2016

Hi,

Can you please advise if we can customize our Alert subject based on a certain field in the result set?

For EX:

We have field called HostName which has list of hosts as values, and whenever the alert is triggered, it should display the alert is for $hostname$ and we are using the trigger once condition.. Hence, there might be different hosts in the result set, so we need to trigger separate alerts for each host.(there are different results for each hosts by time)

Going through some docs, found $result.field$ in subject, but guess this won't work for my criteria. Because in the result set we have multiple host and conditions as "trigger once", there may be multiple results for different hosts.

Thanks

somesoni2 · ‎07-07-2016

I would suggest to follow the solution mentioned here (map and sendemail combination

https://answers.splunk.com/answers/213340/how-to-get-splunk-sendemail-command-to-send-multip.html

splunker9999 · ‎07-07-2016

Hi Our base search looks like this

index=idx1 sourcetype=jobs NOT "User has reached the per-user job slot limit of the queue"  
|rename host to dns_name
| join type=left dns_name [|inputlookup servers.csv|eval dns_name=lower(dns_name)] 
| search Environment!="IPC2 Loyalty"
| eval totalCount=if(status!="", jobId, null()) 
| eval pend= if(status="PEND", jobId, null()) 
| eventstats dc(pend) as pend by Environment
|eventstats dc(totalCount) as totalCount by Environment
|search status=PEND
|dedup jobId
|table _time dns_name Environment jobId pend totalCount status
| eval  pct=(pend/totalCount)*100  
| eval  pct=round(pct,2) 
| eval  pctSuspend=(pct + "%")  
| fields  - pct

The above is our base search, we are looking this for Environment field.
Environment field has differnet results, we need add subject line $Environment$ and need to see only results to that specific environment.

Can you please advice ? If we can do with map and sendemail above scenario?
Thanks

somesoni2 · ‎07-07-2016

give this a try

index=idx1 sourcetype=jobs NOT "User has reached the per-user job slot limit of the queue"  
 |rename host to dns_name
 | join type=left dns_name [|inputlookup servers.csv|eval dns_name=lower(dns_name)] 
 | search Environment!="IPC2 Loyalty"
 | eval totalCount=if(status!="", jobId, null()) 
 | eval pend= if(status="PEND", jobId, null()) 
 | eventstats dc(pend) as pend by Environment
 |eventstats dc(totalCount) as totalCount by Environment
 |search status=PEND
 |dedup jobId
 |table _time dns_name Environment jobId pend totalCount status
 | eval  pct=(pend/totalCount)*100  
 | eval  pct=round(pct,2) 
 | eval  pctSuspend=(pct + "%")  
 | fields  - pct
 | map search="|noop | eval _time=$_time$ | eval dns_name=\"$dns_name$\" | eval jobId=\"$jobId$\" | eval Environment=\"$Environment$\" | eval totalCount=\"$totalCount$\" | eval pend=\"$pend$\" | eval status=\"$status$\" | eval pctSuspend=\"$pctSuspend$\" |table _time dns_name Environment jobId pend totalCount status pctSuspend | sendemail to=\"email1,email2\" subject=\"Alert for $Enviornment$\" sendresults=true inline=true format=table "

splunker9999 · ‎07-07-2016

This one ,I am getting "No Results Found " in statistics , Although I could see events displaying values.

Also, If I have 7 events , I am getting 7 different email for same Environment. But we need only one email per Environment.

Thanks

How to customize our alert subject based on a certain field from the result set?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life