Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Email alert to recipient within results set, multiple results events to each recipient

pgreer_splunk
Splunk Employee
Splunk Employee
‎08-07-2018 07:47 AM

There have been others that have sent email alerts to recipient email addresses that are defined within each event within the results set. I'm struggling, however, on how to send a subset of the results set to a single email address, then another subset of the results to another.

Here's the (obfuscated) use case. First I need to acquire a set of hosts that have had a certain condition within the past month. For hosts in one geographic location, I'd like to send an e-mail alert to administrator Bob. For hosts in another geographic location, I'd like to send an e-mail alert to administrator Shelly. For hosts in X, send to Y.

Now, if there were just 2 or three admins, separate alerts could be lived with. But what if we have hundreds of locations and hundreds of admins? I'd like a single alert to then send each hosts groups by location to an admin that is defined in a field within the results set. However, I don't want to send each admin an e-mail for each host (each event) in that group, but instead the entire list of hosts in the geography within a single e-mail alert to that admin.

I'm thinking this can only be facilitated with a custom alert action (python scripting), but was wondering if anyone out there has done something similar with the built in email alert functionality and/or via SPL with the sendmail command and/or other SPL tricks.

Labels (3)
0 Karma
Reply

ips_mandar
Builder
‎05-25-2020 03:49 AM

@pgreer_splunk are you able to do this? I am also trying to do same thing. If yes can you please post answer.

0 Karma
Reply

tleduc
New Member
‎05-25-2020 04:04 AM

You can find solution in link below, I followed and it works perfectly!
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html

0 Karma
Reply

ips_mandar
Builder
‎05-25-2020 04:28 AM

@pgreer_splunk Thanks, But it is not working for me . I did try simple query using map and sendmail but it is also not sending email
do you know what I am missing in below query-

index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
 | outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
    | fields - EmailContact
    | sendemail
       sendresults=true inline=true
              to=\"$emailToHeader$\"
       subject=\"Your Subject here: \"
       message=\"This report alert was generated by \$app\$ Splunk with this search string: \""

Below query shows results but not sending any email.

0 Karma
Reply

tleduc
New Member
‎05-25-2020 04:43 AM 
index=_internal 
| stats count by sourcetype 
| eval emailToHeader=if(sourcetype="splunkd","user1@my.com","user2@my.com") 
| outputlookup MyTempLookup.csv
| stats values(emailToHeader) AS emailToHeader
| mvexpand emailToHeader
| map search="
     | inputlookup MyTempLookup.csv
     | where emailToHeader=\"$emailToHeader$\"
     | fields - emailToHeader
     | sendemail
       sendresults=true 
       inline=true
       to=\"$emailToHeader$\"
       subject=\"Your Subject here: \"
       message=\"This report alert was generated by Splunk.\""
0 Karma
Reply

ips_mandar
Builder
‎05-25-2020 04:57 AM

When I tried above then also I receive below error in internal log-

ERROR    sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
 Traceback (most recent call last):
   File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
     results = sendEmail(results, settings, keywords, argvals)
   File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
     jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
   File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
     raise splunk.AuthorizationFailed(extendedMessages=uri)
 splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action

Although query return results but unable to send email.
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...