https://community.splunk.com/t5/Splunk-Search/How-to-send-email-to-different-groups-based-on-the-criteria/m-p/374202#M109988 <P>The <A href="https://splunkbase.splunk.com/app/1794/">sendresults</A> application should be a perfect fit for your scenario.</P> Sun, 25 Mar 2018 00:32:21 GMT gjanders 2018-03-25T00:32:21Z https://community.splunk.com/t5/Splunk-Search/How-to-send-email-to-different-groups-based-on-the-criteria/m-p/374201#M109987 <P>I would like to send emails to different groups based on number of events returned for a search. </P> <P>Query:</P> <PRE><CODE>index=xyz (host=server1) (sc_status=2*) (sc_status!=400*) | sort - _time | eval Time=strftime(_time, "%m/%d/%y %I:%M:%S %p") | eventstats count as TOTAL_COUNT | eval recipients = case(TOTAL_COUNT &gt; 100, "qwerty1@abc.com,qwerty2@abc.com,qwerty3@abc.com", TOTAL_COUNT &gt;= 50, "qwerty4@abc.com,qwerty5@abc.com,qwerty5@abc.com", 1==1, null()) | table Time,host,c_ip,cs_uri_stem,s_ip,s_port,sc_status,sc_substatus,time_taken | sendemail to="qwerty1@abc.com,qwerty2@abc.com,qwerty3@abc.com" server=server subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=table sendpdf=false </CODE></PRE> <P>This is working fine. But, I am not able to use the recipients custom field created based on the thresholds. I would like to use something like </P> <PRE><CODE>| sendemail **to=$recipients$** server=server subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=table sendpdf=false </CODE></PRE> Fri, 23 Mar 2018 19:35:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-email-to-different-groups-based-on-the-criteria/m-p/374201#M109987 kollachandra 2018-03-23T19:35:23Z https://community.splunk.com/t5/Splunk-Search/How-to-send-email-to-different-groups-based-on-the-criteria/m-p/374202#M109988 <P>The <A href="https://splunkbase.splunk.com/app/1794/">sendresults</A> application should be a perfect fit for your scenario.</P> Sun, 25 Mar 2018 00:32:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-email-to-different-groups-based-on-the-criteria/m-p/374202#M109988 gjanders 2018-03-25T00:32:21Z https://community.splunk.com/t5/Splunk-Search/How-to-send-email-to-different-groups-based-on-the-criteria/m-p/374203#M109989 <P>Thank you for the help.</P> <P>Everything is good except that I am not able to define the subject of the alert dynamically. </P> <P>So, can you please let me know if there is a way I can remove the recipient field from the table of the alert and use $result.recipient$ in the to field of the alert.</P> <P>I am not be able to send the alert using $result.recipient$ but the only issue is if I mention it in the table it is chatty to read the alert. If I remove it by using | fields - recipient then the alert isn't being triggered to the corresponding recipients.</P> <P>Please help me.</P> Tue, 17 Apr 2018 19:01:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-email-to-different-groups-based-on-the-criteria/m-p/374203#M109989 kollachandra 2018-04-17T19:01:10Z