I have about 30 saved searches that are running on a periodic basis looking for configuration errors (incorrect characters) in integration files. This give us an enterprise view of: new configs, disabled configs, erroneous configs, ect. This further needs to be broken down into a divisional views (15 each) before being send to the end users, who will make the appropriate changes (if needed) to correct integrations.
I would prefer not to have 450 saved searches running to do this. I capture division information in the search and have email addresses associated with the divisions in a lookup file.
My question then becomes can I do something like:
... | lookup divisionemaillist division OUTPUT divisionemailaddress | eval action.email.to=divisionemailaddress
I know it will be a bit more involved that that, I just need to be pointed in the right direction.
Thanks in advance for anyone who can assist!
This should work:
... | lookup division_email_list division OUTPUT division_email_address | sendemail to=division_email_address format="html" server=smtp.gmail.com:587 use_tls=1
Take a look at the python script $SPLUNK_HOME/etc/apps/search/bin/sendemail.py for other keyword arguments you can use with sendemail command.
Using this function, I would need to remove the portion of my saved search that contains:
action.email = 1
action.email.subject = Removed Integration Configs
action.email.sendresults = 1
action.email.attached = 1
action.email.format = csv
I had a similar use case with PDFs. I finaly wrote a script to generate the saved searches and schedules based on a template and csv of parameters.
Maybe you can hack it to fit your use case.