Alerting

Custom Email Alert Recipients from the Reports

muralianup
Communicator

Is it possible to send the alerts to the users who are in the reports ? I have a report sent via email which monitors failed logins when it hits a certain threshold. Now, I want to know if its possible to send this report to the user itself who've this failed logins.
Eg:

UserA --> 20 failed logins --> Send the report to User A
UserB -->10 failed logins --> Send the report to User B

1 Solution

woodcock
Esteemed Legend

This cannot be done with the standard alert capabilities but you can call sendemail inside of the search itself:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

Assuming you have passed your events through a lookup so that each event has a field called email_address, it will look somewhat like this:

... | outputcsv MySearchOutput.csv
    | stats values(email_address) AS emailToheader mvexpand emailToheader
    | map search="|inputcsv max=0 MySearchOutput.csv | where email_address="$emailToHeader$"
    | fields - email_address
    | sendemail
          sendresults=true inline=true
          from=\"somebody@somedomain.com\"
          to=\"$emailToHeader$\"
          subject=\"Some Subject\"
          message=\"Some Body\"
    | where Comment="Make sure no events remain and put the results back the way that they were so that Alert stuff works, too."
    | append [|inputcsv max=0 MySearchOutput.csv]

View solution in original post

woodcock
Esteemed Legend

This cannot be done with the standard alert capabilities but you can call sendemail inside of the search itself:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

Assuming you have passed your events through a lookup so that each event has a field called email_address, it will look somewhat like this:

... | outputcsv MySearchOutput.csv
    | stats values(email_address) AS emailToheader mvexpand emailToheader
    | map search="|inputcsv max=0 MySearchOutput.csv | where email_address="$emailToHeader$"
    | fields - email_address
    | sendemail
          sendresults=true inline=true
          from=\"somebody@somedomain.com\"
          to=\"$emailToHeader$\"
          subject=\"Some Subject\"
          message=\"Some Body\"
    | where Comment="Make sure no events remain and put the results back the way that they were so that Alert stuff works, too."
    | append [|inputcsv max=0 MySearchOutput.csv]

muralianup
Communicator

Problem is only the username is captured in the log and corresponding email id format is different. Username can be jdoe and email will be john.doe@ . Do you think there must be some script that can pull this info from the ldap or ad ?

0 Karma

woodcock
Esteemed Legend

Yes. You can either do a nightly LDAP for all users and dump to a lookup file OR do a scripted lookup to LDAP each user. Either way, my original answer is the same: you just need to convert user to email first.

0 Karma

muralianup
Communicator

Understood. I was rather thinking if there's a way to do a real-time ldap check because the number of users are very high so I do not know how feasible dumping a lookup from LDAP will be.

0 Karma

woodcock
Esteemed Legend

Yes, this can be done but I have not done it so cannot speak to the details. You are probably best off closing out this question by clicking "Answer" and the asking a new question about LDAP lookups.

0 Karma

jstacey_intuit
Explorer

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification

See the section "Send email to different recipients based on search results".

muralianup
Communicator

Agree that helps. But I am stuck in a situation where the userid is not exactly same as email. Lets say:

user Jdoe has 20 Failed Logins. The email id of this user could be john.joe@domain.com

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...