topic Re: How to send mail to the user in one mail if the values are combined? in Splunk Search

How to send mail to the user in one mail if the values are combined?

garujoey — Thu, 24 May 2018 08:55:43 GMT

Hi There,

I'd like to send mails to the people from my search table, the table looks like below:

No.  username   Site   
1      a                   A       
2      b                   B

I tried to use command but it sent mail to the top user in the table instead of all them.

| eval recipients=mvjoin(username, ";") | nomv recipients | sendemail from=xxx to=$result.recipients$

I searched mvexpand, mvcombine, but no luck, would you share your suggestion please?
Thank you!

Re: How to send mail to the user in one mail if the values are combined?

garujoey — Thu, 24 May 2018 09:01:58 GMT

missed some comments that if the vaules are comined, then I can send mail to them in one mail, in the to list, it is "a;b"

Re: How to send mail to the user in one mail if the values are combined?

xpac — Thu, 24 May 2018 09:08:10 GMT

Hey,

You could add this to your query:
| stats values(username) as recipients
You would then get a single multi value field called recipients, which can then be combined into a single string using mvjoin -iirc, addresses must be separated by ,.

Hope that helps 🙂

Re: How to send mail to the user in one mail if the values are combined?

niketn — Thu, 24 May 2018 09:16:13 GMT

@garujoey you should create a query with usernames and use map command iterate through users and send email to each one of them.

Here is an older answer for your reference: https://answers.splunk.com/answers/412019/why-are-empty-emails-being-sent-using-map-sendemai.html

Re: How to send mail to the user in one mail if the values are combined?

HiroshiSatoh — Thu, 24 May 2018 09:17:10 GMT

How's this?

   (your search)
|stats values(username) as username
|eval recipients=mvjoin(username, ";")
|sendemail from=xxx to=recipients

Re: How to send mail to the user in one mail if the values are combined?

xpac — Thu, 24 May 2018 09:40:18 GMT

Be aware that this makes Splunk send one mail per user, which might cause considerable overhead. Sending a single mail with multiple recipients might be more efficient.

Re: How to send mail to the user in one mail if the values are combined?

garujoey — Thu, 24 May 2018 09:54:31 GMT

Thanks xpac, it should be working, I remove the sendemail part to the test first, looks good.

But by adding | stats values(username) as recipients, the table will be changed as well.
Is there a way to keep below search result which I need to put it into the mail body?

No. username Site
1 a A
2 b B

Re: How to send mail to the user in one mail if the values are combined?

xpac — Thu, 24 May 2018 10:04:08 GMT

You could try this instead, but I haven't tested it:

| eventstats values(username) as _recipients
| eval _recipients=mvjoin(_recipients, ",") 
| sendemail to=$result._recipients$

The _ in front of the field name should make it invisible,but still available... Try that 🙂

Re: How to send mail to the user in one mail if the values are combined?

garujoey — Thu, 24 May 2018 10:27:33 GMT

Thanks xpac, it works well!!!

I will setup an alert or report using this search query. However it will be a little different as what I setup it in the alert trigger threshold that if the result is over 1, Splunk will send mail out.

By using this way, looks like Splunk will send out even the result is 0, but I will try to figure that out.

Re: How to send mail to the user in one mail if the values are combined?

niketn — Thu, 24 May 2018 10:40:31 GMT

True... username can be a email Distribution Group then.

Re: How to send mail to the user in one mail if the values are combined?

garujoey — Thu, 24 May 2018 10:51:50 GMT

Yes, I am going to only send one mail with multiple recipients to avoid too much duplicated mails.
:)