Solved: Send an e-mail to a variable located in your resul...

cburr2012 · ‎07-31-2012

Hello all,

I have a query that is locating users that are logging in to our exchange server. I have an alert set up that sends the username to a static e-mail address.

I would like to make that static e-mail address dynamic based on the results pulled from the table.

i.e.: index=exchange these_terms_here --> yields --> johndoe@google.com

Instead of alerting ME that johndoe@google.com has logged in, I want to alert johndoe@google.com that he has logged in.

I was thinking that Splunk uses Splunk Alert: $name$, so I could just call my field from the search results $email$, but that appears to be local to the create alert function.

Other than a Python script, thoughts? I will do it w/ Python if there are no local-to-Splunk options. Thanks!

yannK · ‎08-01-2012

The basic alerting doesn't allow dynamic email destination.
If you want to go this way, use scripted alerts, and write a script that :

have your search result contain the email in it
- takes the arguments from the alert
- open the result file, look for the email the results
- sent the email (or call the email script sendemail.py) with the new arguments.

see http://docs.splunk.com/Documentation/Splunk/4.3.3/admin/ConfigureScriptedAlerts

View solution in original post

troywollenslege · ‎12-17-2012

Did you ever create a script to do this? Willing to share?

troywollenslege · ‎04-30-2013

Splunk says you can upload just scripts to their site.. maybe here?

https://www.splunk.com/index.php?module=roles&func=showloginform&artid=splunkbase&redirecturl=http:/...

Built something useful with Splunk? Want to share it?
Why not package it into an app and upload it?

Uploads don't have to be complex. Even one useful script, saved search, or view can help others in the Splunk Community!

cburr2012 · ‎04-29-2013

Yes, I did create a script to do this. After some trial and error, it is working. I will find a way to share this.

ramgnisiv · ‎01-30-2019

6 yrs later, i have the same problem. Does someone have a script they can share?

fulldanad · ‎01-30-2019

Hi

FYI, we did it with the following SPL request :

gjanders · ‎01-30-2019

sendresuilts would also handle this scenario

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

fulldanad · ‎01-13-2017

Hi,

Were you able to share the script somewhere ?

Rgds
Dan

yannK · ‎08-01-2012

The basic alerting doesn't allow dynamic email destination.
If you want to go this way, use scripted alerts, and write a script that :

have your search result contain the email in it
- takes the arguments from the alert
- open the result file, look for the email the results
- sent the email (or call the email script sendemail.py) with the new arguments.

see http://docs.splunk.com/Documentation/Splunk/4.3.3/admin/ConfigureScriptedAlerts

Send an e-mail to a variable located in your results

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation