Reporting

Alert Sending Email based on a if condition

hiteshkanchan
Communicator

I need to send an Email based on a if condition. Something like "if (value > 10) send an email". But I am not able to figure out how to do this.

I am trying this with eval. But this only assigns the value to a variable(LoginQuality).

"eval LoginQuality= if (AverageLoginTime >10, "More", "Less")".

I need to make change/modify this statement to send an email depending on the condition.

Can someone help me with this?

Tags (3)
0 Karma

romantercero
Path Finder

You can do this with a sub search. Check this out:

index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as Hourly_Indexed_GB | eval test=if(Hourly_Indexed_GB > 20.3 ,[| search index="_internal" group="per_source_thruput" | search series!="_audit" | search series!="_internal" | eval GB=(kb/1024)/1024 | stats sum(GB) as GB | table GB | sendemail to="email@somewhere.com" format=html subject=Splunk_License_warn server=Your_Mail_Server sendresults=true],"0" )

0 Karma

romantercero
Path Finder

The gist of this is to include an if statement and place a sub search on the true or false clause of the if. The sub search uses the sendmail command to send you the results.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

If I understand your goal here, it's possible that an "advanced conditional alert" will suit your needs. Check out http://docs.splunk.com/Documentation/Splunk/4.2.3/User/SchedulingSavedSearches and search for the section "Define an advanced conditional alert".

I think that using a conditional alert of the form

search LoginQuality > 10

should get you close to what you want...

dwaddle
SplunkTrust
SplunkTrust

You need to configure Splunk with a proper connection to a valid SMTP server. I doubt that proxy.com:8080 is a valid SMTP server. You need to make sure your basic SMTP connection is working before trying to move on to conditional alerts and stuff.

0 Karma

hiteshkanchan
Communicator

I am trying this command --> sendemail to="user@domain.com" sendresults=true server="proxy.com:8080" and it gives the error like -->
"command="sendemail", Connection unexpectedly closed while sending mail to: user@domain.com"

0 Karma

hiteshkanchan
Communicator

Yes I am trying the same, but currently I am getting some error. "command="sendemail", [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: hitesh@domain.com"".

Looks like some configuration issue. Kindly let me know if anyone has resolved this issue

0 Karma

fk319
Builder

Under Manager/Searches and Reports you can schedule your e-mails. This is a feature that veries quite a bit between version. The later versions have better control over this.

0 Karma

fk319
Builder

I have not personaly done this, but an other has on our system. I would expect that sendmail [on a unix system] must be accepting request, well at leat on 127.0.0.1

0 Karma

hiteshkanchan
Communicator

Yes right, I am doing the same thing and getting some error like
command="sendemail", [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond while sending mail to: "username@mail.com"

0 Karma

fk319
Builder

there is a sendmail command,
| eval send = if(AverageLoginTime>10,true,false)
| search send=true
| sendmail {arg list}
http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Sendemail

0 Karma

hiteshkanchan
Communicator

If sending mail based on condition like "if (AvearageLoginTime > 10) send an email" is not possible, then I tried using Manager/Searches and Reports.
But it does not seem to send any mails. Any idea if I need to do any configuration.

0 Karma

hiteshkanchan
Communicator

I want to do this either from the search command or from a python script.

From the search query/command, I get the AverageLoginTime value and based on this value I need to send the mail.

So I am looking for some command like "if (AvearageLoginTime > 10) send an email"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...