topic Re: sendresults in Splunk Alert in Alerting

sendresults in Splunk Alert

rchakka — Wed, 27 Jun 2018 23:55:43 GMT

can we use sendresults command in a splunk alert ?

for example,i am creating an alert to trigger email via sendresults when a specific condition is triggered

"my query"| eval email_to="abc@123.com"
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

Note: the email is generated when i perform the search ,but it is not working when used in the alert

Re: sendresults in Splunk Alert

jkat54 — Thu, 28 Jun 2018 00:40:54 GMT

For alerts we use sendalert. It’s a little different.

But if you just save the search as an alert, splunk will do that for you.

Re: sendresults in Splunk Alert

jkat54 — Thu, 28 Jun 2018 00:41:37 GMT

Save as alert without sendemail command that is. Then add a trigger condition and make it send an email as the action.

Re: sendresults in Splunk Alert

rchakka — Thu, 28 Jun 2018 10:27:53 GMT

thanks for the response.

what if the email is variable field?

for example
"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

Re: sendresults in Splunk Alert

jkat54 — Thu, 28 Jun 2018 12:41:50 GMT

See this article and change the version to your correct splunk version:

https://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/EmailNotificationTokens

In 7.1.1 for example you’d use $result.fieldName$ in your email subject, to/cc/bcc, body,
Etc

Re: sendresults in Splunk Alert

rchakka — Fri, 29 Jun 2018 13:24:42 GMT

"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

I used in the alert email field

TO $result.test$

but still no luck with email. note: the query is working fine.

Re: sendresults in Splunk Alert

jkat54 — Fri, 29 Jun 2018 13:35:36 GMT

Where is $test$ coming from? Drop down menus or fields in the data?

Re: sendresults in Splunk Alert

rchakka — Tue, 03 Jul 2018 16:43:10 GMT

fields in the data from my search

Re: sendresults in Splunk Alert

rchakka — Wed, 18 Jul 2018 13:20:49 GMT

Identified an issue with realtime alerting .the alert is triggering first time only when we use variable field in send mail to field. Anyone with similar issues? i am using splunk cloud? thank you all.

Re: sendresults in Splunk Alert

woodcock — Wed, 18 Jul 2018 14:37:57 GMT

Yes, but you have control over your saved search; you can set it to Run as owner or Run as user. Obviously, the permissions vary user-to-user. Make sure that it runs for you, then you have a choice to make: give everyone enough permissions so they can run it, too, or have it Run as owner.