Solved: Re: Custom Email Alert Recipients from the Reports

muralianup · ‎03-09-2016

Is it possible to send the alerts to the users who are in the reports ? I have a report sent via email which monitors failed logins when it hits a certain threshold. Now, I want to know if its possible to send this report to the user itself who've this failed logins.
Eg:

UserA --> 20 failed logins --> Send the report to User A
UserB -->10 failed logins --> Send the report to User B

woodcock · ‎03-12-2016

This cannot be done with the standard alert capabilities but you can call sendemail inside of the search itself:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

Assuming you have passed your events through a lookup so that each event has a field called email_address, it will look somewhat like this:

... | outputcsv MySearchOutput.csv
    | stats values(email_address) AS emailToheader mvexpand emailToheader
    | map search="|inputcsv max=0 MySearchOutput.csv | where email_address="$emailToHeader$"
    | fields - email_address
    | sendemail
          sendresults=true inline=true
          from=\"somebody@somedomain.com\"
          to=\"$emailToHeader$\"
          subject=\"Some Subject\"
          message=\"Some Body\"
    | where Comment="Make sure no events remain and put the results back the way that they were so that Alert stuff works, too."
    | append [|inputcsv max=0 MySearchOutput.csv]

View solution in original post

woodcock · ‎03-12-2016

This cannot be done with the standard alert capabilities but you can call sendemail inside of the search itself:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail

Assuming you have passed your events through a lookup so that each event has a field called email_address, it will look somewhat like this:

... | outputcsv MySearchOutput.csv
    | stats values(email_address) AS emailToheader mvexpand emailToheader
    | map search="|inputcsv max=0 MySearchOutput.csv | where email_address="$emailToHeader$"
    | fields - email_address
    | sendemail
          sendresults=true inline=true
          from=\"somebody@somedomain.com\"
          to=\"$emailToHeader$\"
          subject=\"Some Subject\"
          message=\"Some Body\"
    | where Comment="Make sure no events remain and put the results back the way that they were so that Alert stuff works, too."
    | append [|inputcsv max=0 MySearchOutput.csv]

muralianup · ‎03-15-2016

Problem is only the username is captured in the log and corresponding email id format is different. Username can be jdoe and email will be john.doe@ . Do you think there must be some script that can pull this info from the ldap or ad ?

woodcock · ‎03-20-2016

Yes. You can either do a nightly LDAP for all users and dump to a lookup file OR do a scripted lookup to LDAP each user. Either way, my original answer is the same: you just need to convert user to email first.

muralianup · ‎03-21-2016

Understood. I was rather thinking if there's a way to do a real-time ldap check because the number of users are very high so I do not know how feasible dumping a lookup from LDAP will be.

woodcock · ‎03-21-2016

Yes, this can be done but I have not done it so cannot speak to the details. You are probably best off closing out this question by clicking "Answer" and the asking a new question about LDAP lookups.

jstacey_intuit · ‎03-09-2016

http://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification

See the section "Send email to different recipients based on search results".

muralianup · ‎03-10-2016

Agree that helps. But I am stuck in a situation where the userid is not exactly same as email. Lets say:

user Jdoe has 20 Failed Logins. The email id of this user could be john.joe@domain.com

Custom Email Alert Recipients from the Reports

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?