HI All,

I'm utilizing a search that we run throughout the day which looks for a specific service shutdown on all monitored servers. I currently have an Alert set which will send an email to me once this service shutdown string is noticed within the log file. My long term goal is to have this email go out to different distribution groups depending on the server itself.

To achieve this, we have created two lookup tables.

1. client-mapping.csv - one row lists the client code name, and the other lists the individual servers.
2. email_groups.csv - one row lists the client code name, and the other lists the distribution list.

I wrote a macro that accepts an arg of $host$. Depending on the host name I type, it looks that up first in the client-mapping.csv, and then outputs the client code as a string to another lookup of email_groups.csv. When it's all said and done I'm left with an email address.

client_to_email(1)
inputlookup email_groups.csv | where Client_Code=[| inputlookup client-mapping.csv | where hostname = $host$ | head 1 | eval clientcodename="\"" + tostring(clientcodename) + "\"" | return $clientcodename] | fields Email

This is the search that we use to see if the service has been stopped.
"[INFO,ServiceManagerJBoss] stopService()" NOT (date_wday="sunday" AND date_hour > 2 AND date_hour < 7) NOT (date_wday="sunday" date_hour > 16 AND date_hour < 21 )

So my initial thought was the leave the search as is and add the macro at the end. This would allow me to add a token of Email Address to our To field in the trigger email. I tried to run the following

"[INFO,ServiceManagerJBoss] stopService()" NOT (date_wday="sunday" AND date_hour > 2 AND date_hour < 7) NOT (date_wday="sunday" date_hour > 16 AND date_hour < 21 ) | eval email = `client_to_email($host$)`

but I'm getting the following error.

Error in 'eval' command: The expression is malformed.

Any idea?

Thank You,
Billy