HI All,
I'm utilizing a search that we run throughout the day which looks for a specific service shutdown on all monitored servers. I currently have an Alert set which will send an email to me once this service shutdown string is noticed within the log file. My long term goal is to have this email go out to different distribution groups depending on the server itself.
To achieve this, we have created two lookup tables.
I wrote a macro that accepts an arg of $host$. Depending on the host name I type, it looks that up first in the client-mapping.csv, and then outputs the client code as a string to another lookup of email_groups.csv. When it's all said and done I'm left with an email address.
client_to_email(1)
inputlookup email_groups.csv | where Client_Code=[| inputlookup client-mapping.csv | where hostname = $host$ | head 1 | eval clientcodename="\"" + tostring(clientcodename) + "\"" | return $clientcodename] | fields Email
This is the search that we use to see if the service has been stopped.
"[INFO,ServiceManagerJBoss] stopService()" NOT (date_wday="sunday" AND date_hour > 2 AND date_hour < 7) NOT (date_wday="sunday" date_hour > 16 AND date_hour < 21 )
So my initial thought was the leave the search as is and add the macro at the end. This would allow me to add a token of Email Address to our To field in the trigger email. I tried to run the following
"[INFO,ServiceManagerJBoss] stopService()" NOT (date_wday="sunday" AND date_hour > 2 AND date_hour < 7) NOT (date_wday="sunday" date_hour > 16 AND date_hour < 21 ) | eval email = `client_to_email($host$)`
but I'm getting the following error.
Error in 'eval' command: The expression is malformed.
Any idea?
Thank You,
Billy
See my (admitted-to-work yet somehow still unaccepted) answer in this Q&A:
https://answers.splunk.com/answers/401081/how-to-use-the-sendemail-command-to-send-an-email.html
It says basically this (you just need to integrate your extra lookup into the solution):
This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...
If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:
... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
| fields - Email_Address
| sendemail
sendresults=true inline=true
server=\"Your.Value.Here\"
from=\"Your.Value.Here\"
to=\"$emailToHeader$\"
subject=\"Your Subject here: \$name\$\"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]