topic Re: Send mail to user in search results in Alerting

Send mail to user in search results

Sasquatchatmars — Tue, 13 Oct 2020 09:05:59 GMT

Hi all,

I have made a search that gives me every user who's password expires in less than 10 days. Is there a way to send an email daily to that user instead of the IT department? So I can fully automate this process and that the users themselves are notified in case of password expiring.

Thank you,

Sasquatchatmars

Re: Send mail to user in search results

rnowitzki — Tue, 13 Oct 2020 09:52:16 GMT

Hi @Sasquatchatmars ,

Create an alert based on your search (execute the search and click on "save as > alert" above the time picker).

Here you would select the email notification action.

You can get the details for the configuration here:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification

There is a paragraph that explains how you can send the alert to different users, based on the search results.
Do you have the email in the search results? If not, you could get it from a lookup that provides the email based on the username for example.

BR
Ralph

Re: Send mail to user in search results

Sasquatchatmars — Tue, 13 Oct 2020 10:01:33 GMT

Hi @rnowitzki ,

Thank you for your comment. Do you know if it is possible to make an email template that is sent to those specified users? What a procedure that they need to follow for example?

Thank you,

Sasquatchatmars

Re: Send mail to user in search results

rnowitzki — Tue, 13 Oct 2020 10:09:32 GMT

Yes, it's all in the alert settings. You can give the subject and body of the email and use tokens to integrate values from the search results (for example the name of the user or the number of days until the pw expires).

You reference fields from the search results with $result.fieldname$, details in the link provided.

Somethine like: "Hello $result.firstname$, your password will expire in $result.daysuntilexpiration$"

BR
Ralph

Re: Send mail to user in search results

Sasquatchatmars — Tue, 13 Oct 2020 10:11:30 GMT

Hi @rnowitzki

Thank you very much for your help, this was exactly what I needed!

Sasquatchatmars

Re: Send mail to user in search results

Sasquatchatmars — Tue, 13 Oct 2020 13:02:45 GMT

Hi @rnowitzki ,

Is there a way to use all results from the search, the $result.name$ only uses the first result of the field. My search has multiple results. I tried the token $results.name$ but did didn't seemed to work.

Thank you,

Sasquatchatmars

Re: Send mail to user in search results

rnowitzki — Tue, 13 Oct 2020 13:14:36 GMT

Hi @Sasquatchatmars

The tokens are only assigned to the first row in the result set.

But try to set the trigger of the alert to "for each result" instead of "once".

This should trigger an alert->email for each of the search results, so an email is sent to every single user with expiring password.

BR
Ralph

Re: Send mail to user in search results

Sasquatchatmars — Tue, 13 Oct 2020 13:41:52 GMT

Hi @rnowitzki,

Thank you this was the answer!

Sasquatchatmars

Re: Send mail to user in search results

swetham — Thu, 12 Oct 2023 05:42:12 GMT

Hi. Can you tell me the spl how to fetch the password expiry date and username from search results ?