Dear vik_splunk,
Thankyou so much for the help.
I am actually quite new to splunk therefore I am having troubles understanding your approach. Could you exposit it in a bit non-technical language?
For now, I am trying to understand what the SPL expression is doing. I don't understand the following on the face of it:
1-first pipe just before append. What are you piping, the original event search query on which the alert is firing?
2-The append command runs only over historical data and does not produce correct results if used in a real-time search. [https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append]
3-savedsearch_name=|, you didn't specify any savedsearch_name instead put a pipe in front of it again.
4-stats count(eval(if(isnull(_raw),0,_raw))) AS Count, this just flew right over my head.
5-eval _emailaddress=case(Count=0,"",Count=1,"",Count>2,"")|fields _emailaddress, this seems like the part where based on the number or frequency of a particular alert you are emailing different people, right?
6-one last question. what will happen to the original alert? is this an "alert on top of alerts" thing? [a similar approach: https://answers.splunk.com/answers/237950/triggering-an-alert-on-alerts-alert-on-alerts.html] or will the original alert stop firing to user A, say, and now is only going to the inbox of B or C etc?
Many thanks for your time.
mmaqbool
... View more