group results to be emailed to appropriate support...

splunkhan · ‎05-13-2019

I'm looking to search for multiple errors and exceptions across application logs for across multiple servers.

using a host_email.csv lookup table containing:
host, email_address

How can group these by error/exception type per server send email to corresponding team based on server. I would like to include in my email alert the alert message, server, and count. My search is not working:

| lookup host_email.csv
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address

MuS · ‎05-13-2019

Hi splunkhan,

untested and just making this up, but something like this should work:

| lookup host_email.csv 
| search "error1" OR "error2" OR "error3" OR "error4" OR "exception1" OR "exception2" OR "exception3" | stats count values(_raw) by host
| search action.email=1 action.email.to=email_address
| map maxsearches=0 search="stats count 
| fields - count 
| sendemail from=buttercup@splunk.com to=$action.email$ subject=$alert.subject$ message=$alert.message$ sendresults=true"

You might need to modify to work correct, and read about the sendemail command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail and the map command here https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Hope this helps ...

cheers, MuS

group results to be emailed to appropriate support team based on server

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life