How to send email alert to different users based on search result and attach different results sets fot them?

Path Finder

Alert search query goes like:
index=oraclecon2 source=OracleCon2 sourcetype=OracleCon2 earliest=-10m@m latest=now BranchIdentifier=* | sort _time | stats avg(EWS) as EwsNow by SensorId BranchIdentifier| appendcols [search index=oraclecon2 source=OracleCon2 sourcetype=OracleCon2 earliest=-20m@m latest=-10m@m BranchIdentifier=* | sort _time | stats avg(EWS) as EwsThen by SensorId BranchIdentifier ] | eval difference=(EwsNow-EwsThen) | eval SendAlert= case(difference < 0.5,"No",difference > 0.5,"Yes") | search SendAlert="Yes" | table BranchIdentifier SensorId EwsThen EwsNow | dedup SensorId
It provides me data as:
BranchIdentifier SensorId EwsThen EwsNow
1 1 6 7
1 2 7 8
2 7 8 9
4 11 2 4
Now I want to send this email to different branch manager of branches 1, 2 and 4 and want to attach only part of alert result that is related to their branch. I have many branches in the same index so I don't want to create separate alerts for each of them
I am new to splunk so not very well strong with search language, please help me with possible modifications that should do to this alert search to solve the problem


0 Karma
1 Solution

Super Champion

here is some documentation on email alerts. You can send an alert email to different recipients based on search results by adding an eval statement in the search:

...|eval email=case(SendAlert="Yes" AND BranchIdentifier=1,""....)...

and in your To box on the alert, add $$

This Answers may be of help, though, also:

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...