You could also add a "resolution" field to your search:
| eval resolution="message for your email"
You could also add a "resolution" field to your search:
| eval resolution="message for your email"
I added the eval resolution and got the output but what i required is if we get some message in the mail, it will be great!!!
The attribute you need to set in savedsearches.conf is:
action.email.message.report = This is the message you want in the email \
body and it \
can have multiple lines by doing \
this
Giving this also a try..
I gave this a try but not getting the output , this is what i wrote:
action.email.message.report = Enable the job from task scheduler
This will work, if
a) the attribute is specified in savedsearches.conf for the alerting search you want to modify
b) you make the manual change and restart splunk or reload the .conf files
I used the UI to specify the message and then looked at the resulting savedsearches.conf
Another way is to create a lookup of "errors messages" and "resolution tasks"
and if you extract the error field from each search, you can do a lookup the end.
Then display the result as a table with columns.
Then on the alert, the resolution will be listed in the results.
example :
|_time | host | count | error | resolution |
Thanks..That can work too ..Will give it a try ..
You can follow this
Hi sanjay thanks for the reply but my question is do we have anything in splunk that we can add with alert mail example :
I received an alert for high memory usage for app pool and Splunk sent alert for it that particular app pool is high memory usage
Can I add to that mail the below:
"Recycle app pool name to solve it"
You should be able to change the email message for any alert.
check this if it helps
I have added the line to savedsearch.conf but still its not working 😞
action.email.message = Recycle app pool
Any suggestion???