Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Website Monitoring: Different alerts for different websites

clombardi
New Member
‎11-13-2019 08:18 AM

I am literally a couple of hours into using Splunk free so please bare with me. We currently have multiple websites that we need up-time reports on so I downloaded the website monitoring application. This seems to be working like a charm, but I want to be able to send emails alerts to predefined groups depending on which website generated the failure. I see that there is a default alert which I am using to send emails, however; I want the distribution group to be different for each site. I am assuming I would need to set up different alerts for each specific site failure? Is this possible in Splunk and how would I do this? Thanks!

0 Karma
Reply

jpass
Contributor
‎11-13-2019 11:06 AM

Two ideas...

Use Tokens:
You could have your search include the logic for determining where to send the alert. Then use this value via a token when you configure your alert. I have not tried this myself but I would be surprised if it didn't allow to tokenize the "TO" address. 

base search | eval send_to=case(wwwsite="mysite1.com","group1@asite.com",wwwsite="anothersite1.com",anothergroup@asite.com",1=1,"defaultgroup@asite.com")

When you configure your alert you could look at using a token for the to value: $result.send_to$

Another option is to use the sendmail command and save your search. It won't behave exactly like a normal saved search configured with alert actions but you can achieve what what you're asking. It's been a while so you want to read the documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Sendemail

base search | eval send_to=case(wwwsite="mysite1.com","group1@asite.com",wwwsite="anothersite1.com",anothergroup@asite.com",1=1,"defaultgroup@asite.com") | sendmail to=send_to from="your@email.com"

Suggestion: Use a lookup file
For either method you may want to use a lookup file. This way you don't have to include all the details in each search. What you'd do is create a CSV file that matches your alert email addresses to whichever website they should get paired to.

alert_email_to_domain.csv

   wwwsite,alert_email_address
  "asite1.com","alert_email1@asite.com"
   "asite2.com","alert2_email@asite.com"
   "asite3.com","alert3_email@asite.com"
   "asite4.com","alert4_email@asite.com"

Then in your search you could use the lookup command to pull in the email address that matches the website. If the field in your logs that tells what the website is were "wwwsite"

base search | lookup alert_email_to_domain.csv wwwsite OUTPUT alert_email_address

Then you can use the field alert_email_address with either of the first two methods I explained. Either in a search that uses sendmail command or use it as a token in the alert configuration using $result.alert_email_address$

Please upvote and/or accept if you find my answer helpful. Good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...