topic Re: not sendemail if "Results not found" in Splunk Search

not sendemail if "Results not found"

retesi — Wed, 09 Jul 2014 16:13:23 GMT

Hi. I'm trying to selectively send emails (using sendemail); if the output of the query is "No results found" or "No results", I don't want to send emails.

here's my cli command:

splunk search "|savedsearch hello|sendemail to=admin@example.com from=server@example.com sendresults=true format=html inline=true subject=splunk_log"

hello is a generic query returning nothing

Re: not sendemail if "Results not found"

somesoni2 — Wed, 09 Jul 2014 19:55:45 GMT

Do you execute the search (result of which you want to email) manually on adhoc basis?

Re: not sendemail if "Results not found"

rdownie — Wed, 17 Sep 2014 12:26:19 GMT

Having the same issue. Is there a way when using the sendemail command to only send email if there are results?

Re: not sendemail if "Results not found"

ben363 — Wed, 01 Apr 2015 02:45:35 GMT

See http://answers.splunk.com/answers/13420/sendemail-to-function-send-email-only-if-there-are-results.html

Re: not sendemail if "Results not found"

sbochniewicz — Tue, 10 Nov 2015 15:30:45 GMT

Dirty way to do it, but effective!

Also a good way to email users who do bad things...

| eval to=case(_raw!="","whoz-at-who.com") | sendemail to=$result.to$

Re: not sendemail if "Results not found"

woodcock — Wed, 25 Jul 2018 21:13:39 GMT

Do it like this:

... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:"
| rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error."
| rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that."
| eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null())
| sendemail
   to=$result.valueForToHeader$
   graceful=true
   ...

Re: not sendemail if "Results not found"

althomas — Wed, 13 Feb 2019 12:24:16 GMT

The caveat of this is that the email address must exist in the resultset, otherwise it assumes it's null. This means all your emails will have the field "valueForToHeader" at the end of all the columns. Could be worse, but could be much better.

If, in the case that you don't want to email if there are no results, you don't even need to put in an if statement. If there are no events, there can be no event where you can eval a value to a field -- therefore it will still try to send as null.

Tested the following scenarios:

| makeresults | eval to_address="test_address@company.com" | sendemail to=$result.to_address$ subject="Test Email"

This works

| makeresults | eval to_address="test_address@company.com" | table _time | sendemail to=$result.to_address$ subject="Test Email"

This does not work (null to address)

| makeresults | eval to_address="test_address@company.com", temp="something" | search temp="somethingelse" | sendemail to=$result.to_address$ subject="Test Email"

This does not work (null to address)