topic Re: Custom Email Alert Recipients from the Reports in Alerting

Custom Email Alert Recipients from the Reports

muralianup — Wed, 09 Mar 2016 16:56:06 GMT

Is it possible to send the alerts to the users who are in the reports ? I have a report sent via email which monitors failed logins when it hits a certain threshold. Now, I want to know if its possible to send this report to the user itself who've this failed logins.
Eg:

UserA --> 20 failed logins --> Send the report to User A
UserB -->10 failed logins --> Send the report to User B

Re: Custom Email Alert Recipients from the Reports

jstacey_intuit — Wed, 09 Mar 2016 17:42:56 GMT

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification

See the section "Send email to different recipients based on search results".

Re: Custom Email Alert Recipients from the Reports

muralianup — Thu, 10 Mar 2016 15:19:27 GMT

Agree that helps. But I am stuck in a situation where the userid is not exactly same as email. Lets say:

user Jdoe has 20 Failed Logins. The email id of this user could be john.joe@domain.com

Re: Custom Email Alert Recipients from the Reports

woodcock — Sun, 13 Mar 2016 00:29:21 GMT

This cannot be done with the standard alert capabilities but you can call sendemail inside of the search itself:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

Assuming you have passed your events through a lookup so that each event has a field called email_address, it will look somewhat like this:

... | outputcsv MySearchOutput.csv
    | stats values(email_address) AS emailToheader mvexpand emailToheader
    | map search="|inputcsv max=0 MySearchOutput.csv | where email_address="$emailToHeader$"
    | fields - email_address
    | sendemail
          sendresults=true inline=true
          from=\"somebody@somedomain.com\"
          to=\"$emailToHeader$\"
          subject=\"Some Subject\"
          message=\"Some Body\"
    | where Comment="Make sure no events remain and put the results back the way that they were so that Alert stuff works, too."
    | append [|inputcsv max=0 MySearchOutput.csv]

Re: Custom Email Alert Recipients from the Reports

muralianup — Tue, 15 Mar 2016 15:51:31 GMT

Problem is only the username is captured in the log and corresponding email id format is different. Username can be jdoe and email will be john.doe@ . Do you think there must be some script that can pull this info from the ldap or ad ?

Re: Custom Email Alert Recipients from the Reports

woodcock — Sun, 20 Mar 2016 22:15:03 GMT

Yes. You can either do a nightly LDAP for all users and dump to a lookup file OR do a scripted lookup to LDAP each user. Either way, my original answer is the same: you just need to convert user to email first.

Re: Custom Email Alert Recipients from the Reports

muralianup — Mon, 21 Mar 2016 09:57:15 GMT

Understood. I was rather thinking if there's a way to do a real-time ldap check because the number of users are very high so I do not know how feasible dumping a lookup from LDAP will be.

Re: Custom Email Alert Recipients from the Reports

woodcock — Mon, 21 Mar 2016 14:31:56 GMT

Yes, this can be done but I have not done it so cannot speak to the details. You are probably best off closing out this question by clicking "Answer" and the asking a new question about LDAP lookups.