Alerting

Email alert to recipient within results set, multiple results events to each recipient

pgreer_splunk
Splunk Employee
Splunk Employee

There have been others that have sent email alerts to recipient email addresses that are defined within each event within the results set. I'm struggling, however, on how to send a subset of the results set to a single email address, then another subset of the results to another.

Here's the (obfuscated) use case. First I need to acquire a set of hosts that have had a certain condition within the past month. For hosts in one geographic location, I'd like to send an e-mail alert to administrator Bob. For hosts in another geographic location, I'd like to send an e-mail alert to administrator Shelly. For hosts in X, send to Y.

Now, if there were just 2 or three admins, separate alerts could be lived with. But what if we have hundreds of locations and hundreds of admins? I'd like a single alert to then send each hosts groups by location to an admin that is defined in a field within the results set. However, I don't want to send each admin an e-mail for each host (each event) in that group, but instead the entire list of hosts in the geography within a single e-mail alert to that admin.

I'm thinking this can only be facilitated with a custom alert action (python scripting), but was wondering if anyone out there has done something similar with the built in email alert functionality and/or via SPL with the sendmail command and/or other SPL tricks.

Labels (3)
0 Karma

ips_mandar
Builder

@pgreer_splunk are you able to do this? I am also trying to do same thing. If yes can you please post answer.

0 Karma

tleduc
New Member

You can find solution in link below, I followed and it works perfectly!
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html

0 Karma

ips_mandar
Builder

@pgreer_splunk Thanks, But it is not working for me . I did try simple query using map and sendmail but it is also not sending email
do you know what I am missing in below query-

index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
 | outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
    | fields - EmailContact
    | sendemail
       sendresults=true inline=true
              to=\"$emailToHeader$\"
       subject=\"Your Subject here: \"
       message=\"This report alert was generated by \$app\$ Splunk with this search string: \""

Below query shows results but not sending any email.

0 Karma

tleduc
New Member
index=_internal 
| stats count by sourcetype 
| eval emailToHeader=if(sourcetype="splunkd","user1@my.com","user2@my.com") 
| outputlookup MyTempLookup.csv
| stats values(emailToHeader) AS emailToHeader
| mvexpand emailToHeader
| map search="
     | inputlookup MyTempLookup.csv
     | where emailToHeader=\"$emailToHeader$\"
     | fields - emailToHeader
     | sendemail
       sendresults=true 
       inline=true
       to=\"$emailToHeader$\"
       subject=\"Your Subject here: \"
       message=\"This report alert was generated by Splunk.\""
0 Karma

ips_mandar
Builder

When I tried above then also I receive below error in internal log-

ERROR    sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
 Traceback (most recent call last):
   File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
     results = sendEmail(results, settings, keywords, argvals)
   File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
     jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
   File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
     raise splunk.AuthorizationFailed(extendedMessages=uri)
 splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action

Although query return results but unable to send email.
Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...