All Apps and Add-ons

How to dynamically set the subject field in sendresults command app ?

Communicator

Is there a way to set the subject field in the sendresults command app dynamically ?

I'm looking for something like the following:

index=myindex | eval email_to="abc@splunk.com" |eval new_subject="Index is ".index | sendresults showemail=f subject=new_subject body="Body of the email" showemail=f

What happens in the above scenario is that the subject of the email will be the string "new_subject" instead of its value. I need the subject to be "index is myindex".

Any thoughts ??

Tags (3)
0 Karma
1 Solution

Path Finder

Hi!

Thank you for your interest in the sendresults command.

At this time the sendresults command does not support what you are looking to do. As you probably saw, the command is expecting a string in the subject parameter and not the value as passed in from another field.

We are looking to update the command soon and this would be a great new feature to add into the next release.

View solution in original post

Path Finder

Actually, with the newer version of sendresults app, which is 4.0, the table column headers aren't in a constant pattern for the alert every-time. 1 time it shows in 1 order, some other time the column names are in another order.

alt text

alt text

0 Karma

Path Finder

Hi, thanks for raising the issue. Can you email support@discoveredintelligence.ca and we can look into this issue a bit deeper.

Thanks.

0 Karma

SplunkTrust
SplunkTrust

FYI may be worth creating a new question for the next question around this, I only bumped this old question to advise it was now possible to use a dynamic subject!

0 Karma

SplunkTrust
SplunkTrust

Updating this old post to advise

emailsubj and emailbody are now a supported field as of sendresults 4.0

Path Finder

I am getting the following error with the new version.
command="sendresults", Error : All results must contain a field named email_to with the intended recipient.

I am not what I am missing in the query.
index=mtr source="mine" level=ERROR
| sort - time
| eval Time = strftime(
time, "%m/%d/%y %I:%M:%S %p")
| eventstats count as TOTALCOUNT
| eval criticality = case(TOTAL
COUNT > 100, "Critical", TOTALCOUNT >= 50, "Warning", 1==1, "Info")
| eval email
to=case(
match(criticality,"Critical"), "chandra.kolla@xyz.com",
match(criticality,"Warning"), "abcd@gmail.com",
match(criticality,"Info"), "chandra.kolla@qwerty.com")
| eval email_subj=case(
match(criticality,"Critical"),"Critical Severity Errors",
match(criticality,"Warning"),"High Severity Errors",
match(criticality,"Info"),"Info Severity Errors")
| table Time,level,serviceName,requestId,ipAddress,logger,message,email
| sendresults

0 Karma

Path Finder

Hi,

Are you including all the necessary field in your table command that the sendresults command requires? From your example it looks like the emailto and emailsubj are not.

0 Karma

Path Finder

I am sorry. It makes sense now. I got it.

0 Karma

Path Finder

Actually, the table column headers aren't in a constant pattern for the alert every-time. 1 time it shows in 1 order, some other time the column names are in another order.

0 Karma

Path Finder

Yes I think.

| eval emailto=case(
match(criticality,"Critical"), "chandra.kolla@xyz.com",
match(criticality,"Warning"), "abcd@gmail.com",
match(criticality,"Info"), "chandra.kolla@qwerty.com")
| eval email
subj=case(
match(criticality,"Critical"),"Critical Severity Errors",
match(criticality,"Warning"),"High Severity Errors",
match(criticality,"Info"),"Info Severity Errors")

0 Karma

Path Finder

Its not a direct approach , but splunk map command comes very handy in these cases. For example in the below scenario i want to change the mail subject / email details by each host name. So i will write the logic on the main search and pass unique host and subject fields to map search.

This will send the mail results with pre-defined email id / subject by each host you have. You can alter the mail search logic as it suits your requirement.

index=myindex | dedup host|eval new_subject=(if(host=abc),"abc",none) .....etc logic|eval mail_id=If(host=abc,"abc@splunk.com",none).....etc logic | table host new_subject mail_id |map search=" search index=myindex  host=$host$ | table _time user action other-fields ..... |eval email_to=$mail_id$ |sendresults showemail=f subject=$new_subject$ body="Body of the email"
0 Karma

Path Finder

Hi!

Thank you for your interest in the sendresults command.

At this time the sendresults command does not support what you are looking to do. As you probably saw, the command is expecting a string in the subject parameter and not the value as passed in from another field.

We are looking to update the command soon and this would be a great new feature to add into the next release.

View solution in original post

Communicator

Good to know. Even though I didn't do a deep dive into the code, this comment[1] actually made me think that if there is a field called subject in the events returned, it will be set as the subject of the email.

[1] https://github.com/DiscoveredIntelligence/sendresults/blob/master/bin/sendresults.py#l73

Explorer

Hi mockd, Any idea when the next version will be released? Dynamic subject and body would be a bug win here.

0 Karma

Path Finder

Any update on this one. I have been trying to send the alert with the dynamic subject. Any help is appreciated.

0 Karma

Path Finder

Hi, if you reach out to us on the support address listed on the details section of the Splunkbase page for Sendresults, I can send you a beta version we finally have ready to be tested.

0 Karma

Path Finder

That sounds like a good idea. Thanks!

0 Karma

Motivator

Hi nibinabr
Don't you want to use sendemail command ?
If using sendmail command will satisfy you tell me

0 Karma

Communicator

Sure sendemail is an option. I was under the assumption that sendemail cannot take variables as their email subject etc and that was the reason I was trying out sendresults. How do I acheive this using sendemail ?

0 Karma