Alerting

How to send an email to users present the results using Splunk Alerts?

sbollam
Explorer

Hello Everyone,

I have created an alert who looks for the security events for few applications and if the condition matches it must notify users related to that specific application.

Let's say we have applications A, B and Application A has a field users with values test, test2, test3. and Application B has a field users with values test4, test5, test6, If Application A has any security breach events it must send an email to users.

Regards,

Sai

Labels (1)
0 Karma

dtburrows3
Builder

Looks like as of Splunk 8.1 you should be able to pipe in tokens into the sendemail command. https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Sendemail

If you have a scenario where you may need to email multiple groups across different applications from one search than you may be able to utilize the "map" command piped directly to the "sendemail" command.

(May need to some testing on this, but I'm pretty sure I have seen this done before) 

Note: map command will attempt to dispatch a search for each row from the parent search returned. There is a default limit of the max searches it will attempt to send (maxsearches=10) 
You can find more here.
https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Map

Example:

| search index IN ("app_index_1", "app_index_2") CASE(ERROR) 
        | bucket span=1h _time
        ``` mapping notification user by eval or lookup or possible derived from the _raw data (This example is just setting a hardcoded list of users to each application) ```
        | eval
            notification_users_email=case(
                'index'=="app_index_1", mvappend("user_1@acme.com", "user_3@acme.com", "user_5@acme.com"),
                'index'=="app_index_2", "user_2@acme.com"
                )
        | stats
            count as error_count
            values(notification_users_email) as notification_users_email
                by _time, app
        ``` Trigger criteria for more than 50 errors for specific application in a 1 hour time window ```
        | where 'error_count'>50
        ``` prepare notification user field to be formatted for the sendemail command (convert multivalue field of unique values to a comma delimeted list of users) ```
        | eval
            notification_users_email=mvjoin(notification_users_email, ",")
        ``` prepare message to send to email list for the application ```
        | eval
            message='app'." had ".'error_count'." errors in a one hour time window. Please investigate..."
        ``` each row returned from the parent search will be piped into the map command and send out its own email to the list of users associated with the applications meeting the alert criteria ```
        | map search="sendemail to=\"$notification_users_email$\" message=\"$message$\"" maxsearches=10

 

 

0 Karma

sbollam
Explorer

Thank you very much @dtburrows3!!

I can see the results for each application but looks like the map does not work for me. I also tried to use just sendemail command but it does not work either.

When i give the email id manually i can see an email getting triggered but not when i use the field name which has email id's.

Can you provide suggestion on this?

Thanks in advance!

0 Karma
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...