topic How to use the sendemail command to send an email to different recipients from a lookup per event? in Splunk Search

How to use the sendemail command to send an email to different recipients from a lookup per event?

splunkrocks2014 — Tue, 29 Sep 2020 09:41:08 GMT

Hi.

I have a lookup object named user_email which contains a notified email list. If there is at least an event found from email_logs, based on the username within certain time range, we only need to send an email to the associated recipients with simple text such as "xyz found" from the lookup. For instance, this is my format of the lookup:

username          emails
------------      ---------------------------------------------------
xyz               team1@mail.com, team2@mail.com, team3@mail.com
abc               team3@mail.com

How can I use sendemail command in Splunk?

Thanks

Re: How to use the sendemail command to send an email to different recipients from a lookup per event?

somesoni2 — Wed, 11 May 2016 16:29:54 GMT

Have a look at the map command

http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Map
https://answers.splunk.com/answers/61805/any-example-for-map-command.html

Re: How to use the sendemail command to send an email to different recipients from a lookup per event?

woodcock — Wed, 11 May 2016 17:15:06 GMT

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#answer-399515

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]

Re: How to use the sendemail command to send an email to different recipients from a lookup per event?

splunkrocks2014 — Fri, 13 May 2016 18:03:08 GMT

Thanks woodcock.

I got two different issues although it seems working. Do you have any clues?
1) If there aren't any findings, getting the following error:
"Error in "map": Did not find value for required attributes 'xyz'

2) If there are some findings, the emails are sent out properly; however, there is an error message showed as "[subsearch]: command="sendemail", {} while sending mail to"

Thanks.

Re: How to use the sendemail command to send an email to different recipients from a lookup per event?

woodcock — Sun, 12 Jun 2016 17:39:32 GMT

Number 1 is "normal" and I have not found a good way to code around it. Number 2 I have never seen before and cannot reproduce.

Re: How to use the sendemail command to send an email to different recipients from a lookup per event?

sirajnp — Wed, 30 Jun 2021 07:43:23 GMT

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_recipients_based_on_search_results