Is there a way to set the subject field in the sendresults command app dynamically ?
I'm looking for something like the following:
index=myindex | eval email_to="abc@splunk.com" |eval new_subject="Index is ".index | sendresults showemail=f subject=new_subject body="Body of the email" showemail=f
What happens in the above scenario is that the subject of the email will be the string "new_subject" instead of its value. I need the subject to be "index is myindex".
Any thoughts ??
Hi!
Thank you for your interest in the sendresults command.
At this time the sendresults command does not support what you are looking to do. As you probably saw, the command is expecting a string in the subject parameter and not the value as passed in from another field.
We are looking to update the command soon and this would be a great new feature to add into the next release.
Hi, thanks for raising the issue. Can you email support@discoveredintelligence.ca and we can look into this issue a bit deeper.
Thanks.
FYI may be worth creating a new question for the next question around this, I only bumped this old question to advise it was now possible to use a dynamic subject!
Updating this old post to advise
email_subj and email_body are now a supported field as of sendresults 4.0
I am getting the following error with the new version.
command="sendresults", Error : All results must contain a field named email_to with the intended recipient.
I am not what I am missing in the query.
index=mtr source="mine" level=ERROR
| sort - _time
| eval Time = strftime(_time, "%m/%d/%y %I:%M:%S %p")
| eventstats count as TOTAL_COUNT
| eval criticality = case(TOTAL_COUNT > 100, "Critical", TOTAL_COUNT >= 50, "Warning", 1==1, "Info")
| eval email_to=case(
match(criticality,"Critical"), "chandra.kolla@xyz.com",
match(criticality,"Warning"), "abcd@gmail.com",
match(criticality,"Info"), "chandra.kolla@qwerty.com")
| eval email_subj=case(
match(criticality,"Critical"),"Critical Severity Errors",
match(criticality,"Warning"),"High Severity Errors",
match(criticality,"Info"),"Info Severity Errors")
| table Time,level,serviceName,requestId,ipAddress,logger,message,email
| sendresults
Hi,
Are you including all the necessary field in your table command that the sendresults command requires? From your example it looks like the email_to and email_subj are not.
I am sorry. It makes sense now. I got it.
Actually, the table column headers aren't in a constant pattern for the alert every-time. 1 time it shows in 1 order, some other time the column names are in another order.
Yes I think.
| eval email_to=case(
match(criticality,"Critical"), "chandra.kolla@xyz.com",
match(criticality,"Warning"), "abcd@gmail.com",
match(criticality,"Info"), "chandra.kolla@qwerty.com")
| eval email_subj=case(
match(criticality,"Critical"),"Critical Severity Errors",
match(criticality,"Warning"),"High Severity Errors",
match(criticality,"Info"),"Info Severity Errors")
Its not a direct approach , but splunk map command comes very handy in these cases. For example in the below scenario i want to change the mail subject / email details by each host name. So i will write the logic on the main search and pass unique host and subject fields to map search.
This will send the mail results with pre-defined email id / subject by each host you have. You can alter the mail search logic as it suits your requirement.
index=myindex | dedup host|eval new_subject=(if(host=abc),"abc",none) .....etc logic|eval mail_id=If(host=abc,"abc@splunk.com",none).....etc logic | table host new_subject mail_id |map search=" search index=myindex host=$host$ | table _time user action other-fields ..... |eval email_to=$mail_id$ |sendresults showemail=f subject=$new_subject$ body="Body of the email"
Hi!
Thank you for your interest in the sendresults command.
At this time the sendresults command does not support what you are looking to do. As you probably saw, the command is expecting a string in the subject parameter and not the value as passed in from another field.
We are looking to update the command soon and this would be a great new feature to add into the next release.
Good to know. Even though I didn't do a deep dive into the code, this comment[1] actually made me think that if there is a field called subject in the events returned, it will be set as the subject of the email.
[1] https://github.com/DiscoveredIntelligence/sendresults/blob/master/bin/sendresults.py#l73
Hi mockd, Any idea when the next version will be released? Dynamic subject and body would be a bug win here.
Any update on this one. I have been trying to send the alert with the dynamic subject. Any help is appreciated.
Hi, if you reach out to us on the support address listed on the details section of the Splunkbase page for Sendresults, I can send you a beta version we finally have ready to be tested.
That sounds like a good idea. Thanks!
Hi nibinabr
Don't you want to use sendemail command ?
If using sendmail command will satisfy you tell me
Sure sendemail is an option. I was under the assumption that sendemail cannot take variables as their email subject etc and that was the reason I was trying out sendresults. How do I acheive this using sendemail ?