Alerting

Custom Email Alert Recipients from the Reports

Communicator

Is it possible to send the alerts to the users who are in the reports ? I have a report sent via email which monitors failed logins when it hits a certain threshold. Now, I want to know if its possible to send this report to the user itself who've this failed logins.
Eg:

UserA --> 20 failed logins --> Send the report to User A
UserB -->10 failed logins --> Send the report to User B

1 Solution

Esteemed Legend

This cannot be done with the standard alert capabilities but you can call sendemail inside of the search itself:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

Assuming you have passed your events through a lookup so that each event has a field called email_address, it will look somewhat like this:

... | outputcsv MySearchOutput.csv
    | stats values(email_address) AS emailToheader mvexpand emailToheader
    | map search="|inputcsv max=0 MySearchOutput.csv | where email_address="$emailToHeader$"
    | fields - email_address
    | sendemail
          sendresults=true inline=true
          from=\"somebody@somedomain.com\"
          to=\"$emailToHeader$\"
          subject=\"Some Subject\"
          message=\"Some Body\"
    | where Comment="Make sure no events remain and put the results back the way that they were so that Alert stuff works, too."
    | append [|inputcsv max=0 MySearchOutput.csv]

View solution in original post

Esteemed Legend

This cannot be done with the standard alert capabilities but you can call sendemail inside of the search itself:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

Assuming you have passed your events through a lookup so that each event has a field called email_address, it will look somewhat like this:

... | outputcsv MySearchOutput.csv
    | stats values(email_address) AS emailToheader mvexpand emailToheader
    | map search="|inputcsv max=0 MySearchOutput.csv | where email_address="$emailToHeader$"
    | fields - email_address
    | sendemail
          sendresults=true inline=true
          from=\"somebody@somedomain.com\"
          to=\"$emailToHeader$\"
          subject=\"Some Subject\"
          message=\"Some Body\"
    | where Comment="Make sure no events remain and put the results back the way that they were so that Alert stuff works, too."
    | append [|inputcsv max=0 MySearchOutput.csv]

View solution in original post

Communicator

Problem is only the username is captured in the log and corresponding email id format is different. Username can be jdoe and email will be john.doe@ . Do you think there must be some script that can pull this info from the ldap or ad ?

0 Karma

Esteemed Legend

Yes. You can either do a nightly LDAP for all users and dump to a lookup file OR do a scripted lookup to LDAP each user. Either way, my original answer is the same: you just need to convert user to email first.

0 Karma

Communicator

Understood. I was rather thinking if there's a way to do a real-time ldap check because the number of users are very high so I do not know how feasible dumping a lookup from LDAP will be.

0 Karma

Esteemed Legend

Yes, this can be done but I have not done it so cannot speak to the details. You are probably best off closing out this question by clicking "Answer" and the asking a new question about LDAP lookups.

0 Karma

Explorer

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification

See the section "Send email to different recipients based on search results".

Communicator

Agree that helps. But I am stuck in a situation where the userid is not exactly same as email. Lets say:

user Jdoe has 20 Failed Logins. The email id of this user could be john.joe@domain.com

0 Karma