topic Re: Send emailed results to an email address IN the results. in Other Usage

Send emailed results to an email address IN the results.

jdunlea — Fri, 06 May 2016 15:50:56 GMT

I want to be able to email results to recipients where the recipient email address is PART of the result set.

For example, lets assume the following is my result set in Splunk.

Now I want to have Splunk send an automated email for EACH RESULT where the recipient of the email is the value of the "Email_Address" field.

I.E: Email 1 contains results from row 1 ONLY and the recipient of that email is jon.snow@got.com, etc.

I am pretty sure it is not possible in native Splunk but I am curious to know if anyone has come up with a custom solution.

Re: Send emailed results to an email address IN the results.

jensonthottian — Fri, 06 May 2016 15:58:53 GMT

You can use tokens to pass "TO:" in email notifications.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

$Email_Address$

Courtesy Snow is back.

Re: Send emailed results to an email address IN the results.

jdunlea — Fri, 06 May 2016 16:11:24 GMT

Thanks Jenson!

Re: Send emailed results to an email address IN the results.

woodcock — Sat, 07 May 2016 13:45:21 GMT

If you need to send a contextually-approrpriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL directly:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| search ThisFieldWillNeverExist="SoThisCommandWillDropAllEventsSoThatYouCanPullInTheOriginalSetWhichYouMightOrMightNotCareToDo"
| appendpipe [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error:

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

Re: Send emailed results to an email address IN the results.

brothersman — Mon, 13 Jun 2016 19:37:33 GMT

Thanks Jenson

Re: Send emailed results to an email address IN the results.

nunoaragao — Fri, 31 Mar 2017 09:42:23 GMT

I believe you need $results.Email_Address$

Re: Send emailed results to an email address IN the results.

AssafLowenstein — Thu, 15 Mar 2018 11:47:39 GMT

Not sure how this answers the question.
what's the SPL for sending multiple emails with recipients based on fields in the result set with the data that is relevant for each user?

Re: Send emailed results to an email address IN the results.

elewis1 — Fri, 22 Nov 2019 14:55:05 GMT

I got around the error for no results by adding the following immediately before the map command
|append [|makeresults |eval ]

e.g. |append [|makeresutls |eval emailToHeader=""]

I also added "graceful=true" to the sendemail command to ignore errors about trying to send an email with no "to"

Re: Send emailed results to an email address IN the results.

woodcock — Sat, 23 Nov 2019 00:25:26 GMT

Yes, I also found a solution to the empty map problem later on.

Re: Send emailed results to an email address IN the results.

thuhuongle — Wed, 30 Sep 2020 15:46:16 GMT

Hi Woodcock, Do you have a solution without using sendemail commend but can parse the token to the alert by email.
Great solution with |sendemail

Re: Send emailed results to an email address IN the results.

thuhuongle — Thu, 05 Nov 2020 16:44:23 GMT

Re: Send emailed results to an email address IN the results.

splunkyfun12721 — Tue, 02 Mar 2021 21:02:00 GMT

SPL for sending email based on email address value in the result:

<base search> | table User Email_Address | sendemail to=$result.Email_Address$ subject=$result.User$ ...

https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens#Result_tokens

Re: Send emailed results to an email address IN the results.

ejwade — Thu, 04 Nov 2021 22:47:15 GMT

Hi @woodcock.

This is very helpful, and somewhat of a game changer in sending dynamic alerts from Splunk. Thank you!

I did have a quick question about outputcsv.

From what I've read, outputlookup writes to a lookup file that replicates across a search head cluster, while outputcsv just writes a CSV in the current search head's var/run directory. I'm looking to have this result dataset NOT be persistent. Do you have any recommendations about creating a result dataset for the map command that will age out after the search is run, or some configurable time after?