topic Re: How to use the sendemail command to send results to different emails created with eval? in Splunk Search

How to use the sendemail command to send results to different emails created with eval?

kalianov — Thu, 07 Apr 2016 09:54:34 GMT

Hi splunkers !!! Need help.

I used eval to create a field with the email address for some users:

search myquery.... | fields username, result | eval mail=username+"@mydomain.com"
|sendemail to=mail subject="Splunk is wathing you" sendresults=true
inline=true priority=normal

But it's not working.

In python.log
I want to send emails for all users from my search with specific results for every username from the search.
Is it possible? Can I use "mail" field like variable?

Re: How to use the sendemail command to send results to different emails created with eval?

mcronkrite — Thu, 07 Apr 2016 10:31:32 GMT

Have you tried:
https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html

https://answers.splunk.com/answers/213340/how-to-get-splunk-sendemail-command-to-send-multip.html

Re: How to use the sendemail command to send results to different emails created with eval?

woodcock — Thu, 07 Apr 2016 15:30:08 GMT

As a test, configure your Search Head to use gmail like this:

http://blogs.splunk.com/2014/06/27/splunk-alerts-using-gmail-twitter-phone-calls-and-much-more/

Re: How to use the sendemail command to send results to different emails created with eval?

kalianov — Fri, 08 Apr 2016 12:08:51 GMT

It's a good way but I still have one problem.

my search | stats count(filename) AS files, sum(size) AS TotalMb by user| sort -TotalMb |  eval email=user."@mydomai.com" 
| table user, files, TotalMb, email | head 2 
| sendemail  to=$email$ from=$splunk@mydomain.com$ subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST"

Result is emailed for each user with the same table:
1 user1, 123, 506Mb, user1@mydomai.com
2 user2, 234, 26Mb, user2@mydomai.com

But I need a separate email:
Email1 to user1@mydomai.com
1 user1, 123, 506Mb, user1@mydomai.com
Email2 to user2@mydomai.com
2 user2, 234, 26Mb, user2@mydomai.com

I have tried:

| map search="sendemail  to=$email$ from=$splunk@mydomain.com$ subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST""

but each user receives email with "No results found"

Re: How to use the sendemail command to send results to different emails created with eval?

kalianov — Tue, 12 Apr 2016 14:35:45 GMT

I must to use internal email server

Re: How to use the sendemail command to send results to different emails created with eval?

afarmer — Tue, 05 Dec 2017 18:44:45 GMT

Did you ever get this to work?

Re: How to use the sendemail command to send results to different emails created with eval?

sirajnp — Wed, 30 Jun 2021 07:36:46 GMT

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_recipients_based_on_search_results