I've found a few different answers that approximate, but nothing yet that I can synthesize into a new solution for my environment.
Essentially, I have one log file that keeps a running log of the application's jobs (sourcetype 1). I have a second directory where technical logs of each job are kept and grouped in a subdirectory according to job group (sourcetype 2).
I'm alerting on the first sourcetype and want to include the contents of the second sourcetype in an email based on that alert condition (I can pull the filename from the first sourcetype). Though a failure of the job occurs, it is not certain that there will be any consistency in the messages within the technical logs that I can use to conduct a reliable second search.
Can I include the contents of a file of the second sourcetype in an email alert triggered by a search on the first sourcetype?
↧