How configure an alert to send an email based on f...

vinuece2007 · ‎01-13-2017

Hi All

I have a requirement to trigger an alert email per Service in case of failures.
I don't want to create separate alerts for each service.

My search returns below results example -

ServiceName         Status      Time                EmailContact
ABC                 failed  1/13/2017 8.50 am       xyz@mail.com
ABC                 failed  1/13/2017 8.55 am       xyz@mail.com
DEF                 failed  1/13/2017 9.00 am       bcd@mail.com

How to get two emails from Splunk for ServiceName-ABC and ServiceName DEF?

First email should sent to xyz@mail.com with below 2 rows

ServiceName         Status      Time                EmailContact
ABC                 failed  1/13/2017 8.50 am       xyz@mail.com
ABC                 failed  1/13/2017 8.55 am       xyz@mail.com

Second email should sent to bcd@mail.com with below 1 rows

ServiceName         Status      Time                EmailContact
DEF                 failed  1/13/2017 9.00 am       bcd@mail.com

I have tried to use "map" command in the Custom trigger condition but it is not working.
Please tell me the approach to accomplish this. Thanks !!

Regards
Selvaraj

woodcock · ‎01-13-2017

Like this:

Your Base Search Here
| outputlookup MyTempLookup.csv
| stats count by EmailContact
| map maxsearches=9999 search="|inputlookup MyTempLookup.csv
                               | search EmailContact=$EmailContact$
                               | sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"

woodcock · ‎12-27-2019

@ppablo, We could use an admin-accept here, I think.

How configure an alert to send an email based on field values?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability