topic Re: How to get Splunk sendemail command to send multiple emails based on search results 2016 in Reporting

How to get Splunk sendemail command to send multiple emails based on search results 2016

ThomasControlw1 — Tue, 29 Sep 2020 09:41:26 GMT

cheers @ all splunker,

one more question of this topic. (How to get Splunk sendemail command to send multiple emails based on search results)
I read a lot of stuff & take a lot of time but without success.
why the following search sent only to TO Emailladress and the first Emailadress of searchresult.
the goal is that all email recipient from search got an email.

could please someone assit?

SplunkCore V6.3.1
Search:
sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1
| sendemail to=$result.bcc$ cc=some@email.de format=html subject="short discription" from=other.e@mail.de priority=highest footer="text" server=smtp.1234.de sendresults=false

the table result as aspected, the cc_all field has a lot of emailadreses to sent

5/12/16 2:45:27.404 PM

2016-05-12 14:45:27,404 +0200 INFO sendemail:112 - Sending email. subject="short discription", results_link="None", recipients="[u'thxxog@cxxe.de', u'first@result.email.adresse']", server="smtp.1234.de"
source = /opt/splunk/var/log/splunk/python.log

thanks in advance

Re: How to get Splunk sendemail command to send multiple emails based on search results 2016

somesoni2 — Thu, 12 May 2016 19:24:26 GMT

Give this a try

sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1 | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 | sendemail to=$bcc$ cc=some@email.de format=html subject=\"short discription\" from=other.e@mail.de priority=highest footer=\"text\" server=smtp.1234.de sendresults=false"

Re: How to get Splunk sendemail command to send multiple emails based on search results 2016

ThomasControlw1 — Fri, 13 May 2016 07:13:38 GMT

Hi somesoni2,
great job this works perfekt for me.
there was on typo "| sendemail to=$bcc$" it must be | sendemail to=$cc_all$
what exactly means "map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 "

could you please explain one more?
Thanks a lot

Re: How to get Splunk sendemail command to send multiple emails based on search results 2016

ThomasControlw1 — Fri, 13 May 2016 07:19:10 GMT

Hi somesoni2,
great JOB!
thre was on typo, "| sendemail to=$cc_all$" and it will work perfectly.
could you please explaine on more detail what " | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 |" means?

Thanks a lot

Re: How to get Splunk sendemail command to send multiple emails based on search results 2016

sirajnp — Wed, 30 Jun 2021 07:26:20 GMT

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ and select trigger "for each result". Email will be send to the respective email address for each line of result.

Re: How to get Splunk sendemail command to send multiple emails based on search results 2016

sirajnp — Wed, 30 Jun 2021 07:39:34 GMT

It's pretty simple. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_recipients_based_on_search_results