Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

sendresults in Splunk Alert

rchakka
New Member
‎06-27-2018 04:55 PM

can we use sendresults command in a splunk alert ?

for example,i am creating an alert to trigger email via sendresults when a specific condition is triggered

"my query"| eval email_to="abc@123.com"
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

Note: the email is generated when i perform the search ,but it is not working when used in the alert

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2018 07:37 AM

Yes, but you have control over your saved search; you can set it to Run as owner or Run as user. Obviously, the permissions vary user-to-user. Make sure that it runs for you, then you have a choice to make: give everyone enough permissions so they can run it, too, or have it Run as owner.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-27-2018 05:40 PM

For alerts we use sendalert. It’s a little different.

But if you just save the search as an alert, splunk will do that for you.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-27-2018 05:41 PM

Save as alert without sendemail command that is. Then add a trigger condition and make it send an email as the action.

0 Karma
Reply

rchakka
New Member
‎06-28-2018 03:27 AM

thanks for the response.

what if the email is variable field?

for example
"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-28-2018 05:41 AM

See this article and change the version to your correct splunk version:

https://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/EmailNotificationTokens

In 7.1.1 for example you’d use $result.fieldName$ in your email subject, to/cc/bcc, body,
Etc

0 Karma
Reply

rchakka
New Member
‎06-29-2018 06:24 AM

"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

I used in the alert email field

TO $result.test$

but still no luck with email. note: the query is working fine.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-29-2018 06:35 AM

Where is $test$ coming from? Drop down menus or fields in the data?

0 Karma
Reply

rchakka
New Member
‎07-03-2018 09:43 AM

fields in the data from my search

0 Karma
Reply

rchakka
New Member
‎07-18-2018 06:20 AM

Identified an issue with realtime alerting .the alert is triggering first time only when we use variable field in send mail to field. Anyone with similar issues? i am using splunk cloud? thank you all.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...