Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sendresults in Splunk Alert

rchakka
New Member
‎06-27-2018 04:55 PM

can we use sendresults command in a splunk alert ?

for example,i am creating an alert to trigger email via sendresults when a specific condition is triggered

"my query"| eval email_to="abc@123.com"
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

Note: the email is generated when i perform the search ,but it is not working when used in the alert

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2018 07:37 AM

Yes, but you have control over your saved search; you can set it to Run as owner or Run as user. Obviously, the permissions vary user-to-user. Make sure that it runs for you, then you have a choice to make: give everyone enough permissions so they can run it, too, or have it Run as owner.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-27-2018 05:40 PM

For alerts we use sendalert. It’s a little different.

But if you just save the search as an alert, splunk will do that for you.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-27-2018 05:41 PM

Save as alert without sendemail command that is. Then add a trigger condition and make it send an email as the action.

0 Karma
Reply

rchakka
New Member
‎06-28-2018 03:27 AM

thanks for the response.

what if the email is variable field?

for example
"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-28-2018 05:41 AM

See this article and change the version to your correct splunk version:

https://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/EmailNotificationTokens

In 7.1.1 for example you’d use $result.fieldName$ in your email subject, to/cc/bcc, body,
Etc

0 Karma
Reply

rchakka
New Member
‎06-29-2018 06:24 AM

"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

I used in the alert email field

TO $result.test$

but still no luck with email. note: the query is working fine.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-29-2018 06:35 AM

Where is $test$ coming from? Drop down menus or fields in the data?

0 Karma
Reply

rchakka
New Member
‎07-03-2018 09:43 AM

fields in the data from my search

0 Karma
Reply

rchakka
New Member
‎07-18-2018 06:20 AM

Identified an issue with realtime alerting .the alert is triggering first time only when we use variable field in send mail to field. Anyone with similar issues? i am using splunk cloud? thank you all.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...