topic How to group data to send email alerts in Splunk Search

How to group data to send email alerts

Dayalss — Tue, 05 Nov 2024 10:43:52 GMT

Hi,

I have a huge set of data with different emails in it , I want to setup email alerts for few parameters.
But the issue is I'm unable to group the events on email and send a email alert with the csv attachment of the results.

Example:-

abc@email has around 80 events in the table , I want to send only one alert to abc with all the 80 events in it as csv attachment.

And there are around 85+ emails in my data , and they have to be grouped using only 1 spl and it should be used in alert.

Note :- dont suggest $result.field$ or stats to group its not useful for me.

Thank you

Re: How to group data to send email alerts

PickleRick — Tue, 05 Nov 2024 12:15:50 GMT

I don't understand. You want to send different set of results to different people as a single alert action?

No can do.

You could try using https://splunkbase.splunk.com/app/1794

Re: How to group data to send email alerts

Dayalss — Tue, 05 Nov 2024 12:18:50 GMT

I feel if we can first group the events on email and then use the email as a token in the email recipient , we can do it .

But Im not getting how we can do that.

Re: How to group data to send email alerts

victor_menezes — Tue, 05 Nov 2024 13:57:52 GMT

Have you tried to consolidate then via stats command and then configure your alert to trigger for each result and tokenize the email parameter?

Try this (adjust to your reality):

<your search> | stats values(event_field) as events by user, email

Then in your alert configuration, set trigger conditions:
Number of results > 0
Trigger: For each result

And add the email action with To with token $result.email$

That will make each email receive their group of events

Give it a try and let me know