topic Re: sendemail to Function - Send email only if there are results in Reporting

sendemail to Function - Send email only if there are results

anantshah — Sat, 02 Apr 2011 02:31:36 GMT

Hello,

I am using the sendemail to function in my search to send emails. I receive the email whenever the search is run as expected. Is there a way to configure the search/sendemail function so that email is only sent out if there are results?

I am aware that i can accomplish this if use the schedule search with alert functionality and pick generate alerts if events greater than > 0. I cannot use this as i want the results in a csv file. The alert functionality is configured to use inline results and i am not able to modify it for a single search.

Re: sendemail to Function - Send email only if there are results

sideview — Sat, 02 Apr 2011 09:06:25 GMT

Well it sounds like you've modified your system to send the emails differently than they are normally sent out? But for the record, when you use the normal alerting on a scheduled search, I believe when it sends you the results it attaches them as a CSV file.

Certainly csv is one of the options when you create an alert in 4.2.

I think for you, the best option may be to set up your alert to trigger a python script instead of using the native sendemail. I believe the results of the search are made available to those python scripts and you can then send your own email from python hopefully without a great deal of trouble. Unfortunately I dont know of any examples you can build off of, but maybe someone else does.

the docs for scripted alerting are here:

http://www.splunk.com/base/Documentation/4.2/Admin/Configurescriptedalerts

Re: sendemail to Function - Send email only if there are results

woodcock — Wed, 25 Jul 2018 21:14:05 GMT

Do it like this:

... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:"
| rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error."
| rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that."
| eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null())
| sendemail
   to=$result.valueForToHeader$
   graceful=true
   ...

Re: sendemail to Function - Send email only if there are results

woodcock — Mon, 30 Jul 2018 18:23:55 GMT

Thank you for the UpVote, @sideview!

Re: sendemail to Function - Send email only if there are results

sideview — Mon, 30 Jul 2018 21:19:02 GMT

I agree. My accepted answer here is from the 4.2 era. Looking in the docs, it seems graceful=true has been there since at least 4.3. As a wild guess, graceful=true has just been there forever and you could always do this and i just didn't notice until today. 😃 Agree that yours should be the accepted answer.

Re: sendemail to Function - Send email only if there are results

woodcock — Tue, 31 Jul 2018 02:17:54 GMT

To be fair, this took me weeks to figure out, off and on. It was challenging. It seems totally non-intuitive that you can use eval when there are no events in your current data set, but evidently calling sendemail does something very special that possibly no other commands do, probably because a great deal of effort was put into that command for the express intent of doing exactly what we are trying to disallow! It really should be a command argument: send_when_no_results={true,false}.

Re: sendemail to Function - Send email only if there are results

anjith05 — Fri, 24 Jan 2020 16:03:00 GMT

The above solution works fine except that it is adding the valueForToHeader to the results sent in the email, is there a way to filter out that valueForToHeader column in the result set sent in email?

Re: sendemail to Function - Send email only if there are results

sandeepreddy947 — Tue, 21 May 2024 20:40:13 GMT

Hi @woodcock @sideview

Is there a way i can use sendemail to results of field values.

Details: i have a search results that has set of columns with user and email with different columns. Requirement is when a alert is triggered then results includes with columns: user, user_email, subject, recipient, owner, owner_email then sendemail to ower_email from the values of a results then sends email to ownerofuser1234@email.com, ownerofuser345@email.com, ownerofuser567@email.com.

So, all fields are dynamic and list is large.

eg:

An alert triggered from a search and following are the results of alert.

user	user_email	subject	recipient	owner	owner_email
user1234	user1234@email.com	cross section from alert 1	recipientname1	ownerofuser1234	ownerofuser1234@email.com
user345	user345@email.com	cross section from alert 2	recipientname2	ownerofuser345	ownerofuser345@email.com
user567	user567@email.com	cross section from alert 4	recipientname3	ownerofuser567	ownerofuser567@email.com

Thanks in advance!