Alerting

Send mail to user in search results

Sasquatchatmars
Communicator

Hi all,

I have made a search that gives me every user who's password expires in less than 10 days. Is there a way to send an email daily to that user instead of the IT department? So I can fully automate this process and that the users themselves are notified in case of password expiring.

Thank you,

Sasquatchatmars

Labels (1)
0 Karma
1 Solution

rnowitzki
Builder

Yes, it's all in the alert settings. You can give the subject and body of the email and use tokens to integrate values from the search results (for example the name of the user or the number of days until the pw expires).

You reference fields from the search results with $result.fieldname$, details in the link provided.

Somethine like: "Hello $result.firstname$, your password will expire in $result.daysuntilexpiration$"

BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

rnowitzki
Builder

Hi @Sasquatchatmars ,

Create an alert based on your search (execute the search and click on "save as > alert" above the time picker).

Here you would select the email notification action.

You can get the details for the configuration here:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification

There is a paragraph that explains how you can send the alert to different users, based on the search results.
Do you have the email in the search results? If not, you could get it from a lookup that provides the email based on the username for example.

BR
Ralph

--
Karma and/or Solution tagging appreciated.

Sasquatchatmars
Communicator

Hi @rnowitzki ,

Thank you for your comment. Do you know if it is possible to make an email template that is sent to those specified users? What a procedure that they need to follow for example? 

Thank you,

Sasquatchatmars

0 Karma

rnowitzki
Builder

Yes, it's all in the alert settings. You can give the subject and body of the email and use tokens to integrate values from the search results (for example the name of the user or the number of days until the pw expires).

You reference fields from the search results with $result.fieldname$, details in the link provided.

Somethine like: "Hello $result.firstname$, your password will expire in $result.daysuntilexpiration$"

BR
Ralph

--
Karma and/or Solution tagging appreciated.

swetham
Engager

Hi. Can you tell me the spl how to fetch the password expiry date and username from search results ? 

0 Karma

Sasquatchatmars
Communicator

Hi @rnowitzki ,

Is there a way to use all results from the search, the $result.name$ only uses the first result of the field. My search has multiple results. I tried the token $results.name$ but did didn't seemed to work. 

Thank you,

Sasquatchatmars

0 Karma

rnowitzki
Builder

Hi @Sasquatchatmars 

The tokens are only assigned to the first row in the result set.

But try to set the trigger of the alert to "for each result" instead of "once".

This should trigger an alert->email for each of the search results, so an email is sent to every single user with expiring password.

BR
Ralph

 

 

--
Karma and/or Solution tagging appreciated.
0 Karma

Sasquatchatmars
Communicator

Hi @rnowitzki,

Thank you this was the answer!

Sasquatchatmars

0 Karma

Sasquatchatmars
Communicator

Hi @rnowitzki 

Thank you very much for your help, this was exactly what I needed!

Sasquatchatmars

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...