Spread our blog

Sending Multiple Alerts Based Upon Multiple Conditions Using One Alert In Splunk

Hello Everyone !!

We know that we can create different knowledge objects in Splunk like Dashboards, Alerts, Reports, etc. But we will talk about new and interesting tricks regarding alert.

Now, when we create any alert in Splunk we can specify only one condition according to that condition alert works and we can also send the alert result to specific email id(s).

But have you ever tried to send multiple alerts based upon on multiple conditions using one alert ???? 

Probably not right !!!!

Today we will show you how to achieve that thing. This topic is very new in the context of Splunk. Hope you will enjoy this topic. See the below steps to achieve this thing.

Step:1

Login to your Splunk with the credentials and go to Search & Reporting app.

alert1
alert2

Step:2

I will show you the alert on some dummy data. The query we have used to create the data is given below,

| makeresults | eval a="200,maityayan1996@gmail.com/300,saradamajumder3@gmail.com/400,bubaimaity00000@gmail.com" , a=split(a,"/") | mvexpand a | table a | makemv delim="," a| eval status=mvindex(a,0) , email=mvindex(a,1) | fields - a
alert3

Step:3

Now create an alert with this result set.

alert4

Step:4

Now do the following.

I have given a name to this alert as Alert For Multiple Condition and schedule it for every two minutes.

alert5

Now, you have to specify For each result in Trigger option. That means it will trigger one time for each and every row in the result set.

alert6

Now, in Add Actions option first click on “Add to Triggered Alert”.

alert7

After that click on “send email” option from Add Actions. Then here in “to” option You have to give $result.email$ which will call respected email for the each and every row. Also we have added in the subject as ” trigger for http status $result.status$” which will notify us that for which status value the alert is triggering . Then just save the alert. Here email and status are two existing fields of result set which we used with the alert tokens .

You can also know about :  Usage of Functions in SPLUNK: RELATIVE_TIME
alert8

Step:5
Now we will check in the mentioned email ids that the alert is sent or not.
For that, just go to the email id and check with the alert name.
You can see the alert is sent to all the email id present in the result set.

alert9
alert10
alert11

Now , just see the below screenshot. When the alert triggered, the results are sent to the  three different email ids . Because the alert is triggered base on the specific condition(status field) and the alert is sent to the specific email ids based upon their condition.

alert12
alert13
alert14

Hope from the next time if you want to send alert to different different peoples depending upon multiple conditions using one alert then you can try this one.

Happy Splunking !!

What’s your Reaction?
+1
+1
+1
2
+1
+1
+1
+1

Spread our blog
Previous articleSyslog Integration With Splunk
Next articleSENDRESULTS Command In Splunk
splunkgeek
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

RELATED ARTICLESMORE FROM AUTHOR

3 COMMENTS

    • Yes , true. In our next blog related to this, we are going to introduce the add-on to perform even more task than this in a simpler way !!

LEAVE A REPLY

Please enter your comment!
Please enter your name here