https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43615#M10258 <P>Do it like this:</P> <PRE><CODE>... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:" | rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error." | rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that." | eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null()) | sendemail to=$result.valueForToHeader$ graceful=true ... </CODE></PRE> Wed, 25 Jul 2018 21:14:19 GMT woodcock 2018-07-25T21:14:19Z https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43612#M10255 <P>I'm running the following search from Splunk CLI:</P> <P>./splunk search 'index=test | search _raw!="scoobydoo" | sendemail to="elvis@splunk.com,john@splunk.com" subject=myresults server=mail.splunk.com' -auth etc:pass</P> <P>The behavior I see is that an email is always sent whether or not results are returned by the search. </P> <P>Is there some way to tell Splunk to only send email when there are results?</P> Sat, 04 Sep 2010 00:40:20 GMT https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43612#M10255 the_wolverine 2010-09-04T00:40:20Z https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43613#M10256 <P>No, Splunk doesn't provide per-result set branching logic in the search language.</P> <P>I would script this using the Python SDK:</P> <PRE><CODE>import time import splunk import splunk.auth as au import splunk.search as se splunk.mergeHostPath('localhost:4001', True) key = au.getSessionKey('admin', 'changeme') d = se.dispatch('search index=_internal | head 10') while not d.isDone: time.sleep(1) if d.resultCount &gt; 0: d.setFetchOption(search='sendemail to=...@splunk.com from=...@splunk.com server=ip1.splunk.com subject=myresults sendresults=true') r = d.results[0] </CODE></PRE> <P>You can then run this via: <CODE>splunk cmd python &lt;scriptname&gt;.py</CODE></P> <P>A shell script may be even easier.</P> Sat, 04 Sep 2010 11:29:16 GMT https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43613#M10256 Stephen_Sorkin 2010-09-04T11:29:16Z https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43614#M10257 <P>You could consider running using the Splunk scheduler, and using Splunk's conditional script triggering rather than running the search at the CLI.</P> Mon, 06 Sep 2010 05:48:28 GMT https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43614#M10257 gkanapathy 2010-09-06T05:48:28Z https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43615#M10258 <P>Do it like this:</P> <PRE><CODE>... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:" | rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error." | rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that." | eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null()) | sendemail to=$result.valueForToHeader$ graceful=true ... </CODE></PRE> Wed, 25 Jul 2018 21:14:19 GMT https://community.splunk.com/t5/Splunk-Search/Sendemail-Splunk-CLI-always-sends-email-whether-results-are/m-p/43615#M10258 woodcock 2018-07-25T21:14:19Z