I am using a lookup with a list of hosts, thresholds an email addresses to dynamically send email alerts when a threshold is hit.
It works well when there is a simple mapping:
host1 email1
host2 email1
But it's not working when it's:
host1 email1
host1 email2
The lookup looks like this:
My search is:
(mysearch calculating a rate)
| stats min(rate) as min_rate by host
| lookup mylookup.csv host OUTPUT threshold mail
| where min_rate > threshold | fields host min_rate mail threshold
Then, it sends an email using $result.mail$ within the savedsearches parameters (alert).
The problem is that it groups the results with host1 -> list of emails, hence it fails to separate the different email adresses as $result.mail$.
The result looks like this:
host1 email1.com
-------- email2.com
Instead of this:
host1 email1.com
host1 email2.com
It's probably because of the "by host" in my search, is there a way to make the results "for each"?
Can anyone help me?
I tried playing with the lookup parameters, but I'm stuck... Thanks in advance.
... View more