Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to send an email to users present the results ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to send an email to users present the results using Splunk Alerts?
Hello Everyone,
I have created an alert who looks for the security events for few applications and if the condition matches it must notify users related to that specific application.
Let's say we have applications A, B and Application A has a field users with values test, test2, test3. and Application B has a field users with values test4, test5, test6, If Application A has any security breach events it must send an email to users.
Regards,
Sai
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like as of Splunk 8.1 you should be able to pipe in tokens into the sendemail command. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Sendemail
If you have a scenario where you may need to email multiple groups across different applications from one search than you may be able to utilize the "map" command piped directly to the "sendemail" command.
(May need to some testing on this, but I'm pretty sure I have seen this done before)
Note: map command will attempt to dispatch a search for each row from the parent search returned. There is a default limit of the max searches it will attempt to send (maxsearches=10)
You can find more here.
https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Map
Example:
| search index IN ("app_index_1", "app_index_2") CASE(ERROR)
| bucket span=1h _time
``` mapping notification user by eval or lookup or possible derived from the _raw data (This example is just setting a hardcoded list of users to each application) ```
| eval
notification_users_email=case(
'index'=="app_index_1", mvappend("user_1@acme.com", "user_3@acme.com", "user_5@acme.com"),
'index'=="app_index_2", "user_2@acme.com"
)
| stats
count as error_count
values(notification_users_email) as notification_users_email
by _time, app
``` Trigger criteria for more than 50 errors for specific application in a 1 hour time window ```
| where 'error_count'>50
``` prepare notification user field to be formatted for the sendemail command (convert multivalue field of unique values to a comma delimeted list of users) ```
| eval
notification_users_email=mvjoin(notification_users_email, ",")
``` prepare message to send to email list for the application ```
| eval
message='app'." had ".'error_count'." errors in a one hour time window. Please investigate..."
``` each row returned from the parent search will be piped into the map command and send out its own email to the list of users associated with the applications meeting the alert criteria ```
| map search="sendemail to=\"$notification_users_email$\" message=\"$message$\"" maxsearches=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much @dtburrows3!!
I can see the results for each application but looks like the map does not work for me. I also tried to use just sendemail command but it does not work either.
When i give the email id manually i can see an email getting triggered but not when i use the field name which has email id's.
Can you provide suggestion on this?
Thanks in advance!
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
