I have created an alert that generates a report in a tabular form and sends the rows of results to individuals dynamically based on the value in a particular field. However, I also need the entire set of results to be sent to a group irrespective of the result set. When I hardcode the group in the cc mail as per the information on splunk base , the entire result set doesn't get sent to the cc'ed group in a single email instead it is sent to the group as individual emails containing the result set for different individuals. Is it possible to send a single email containing the entire result set to a group while dynamically sending respective rows of results to individual recipients at the same time?
My search looks like this
|pivot ....| eval emailto='userid'."@abc.com".",firstname.lastname@example.org"| sendresults ...
Also, I noticed that if for one user id there are multiple rows of results ,say 3, then 3 result sets get sent to the individual in a single email so i was wondering why the same is not happening with the cc'ed group as it is specified as the recipient for all the rows of result sets.
I had the same requirement and resolved it this way.
We use the sendresults command inline in the scheduled alert to break out the results to the emailto field.
We then configure the "Trigger Actions" of the alert to email the group that needs the entire list. This sends a single email with all the results and also includes the emailto field.
Thanks for the interest in the sendresults command.
The idea of being able to cc the entire report in addition to the individual emails is a great idea and have added it to our list of enhancements for the command.
For your question about the user with three results, that's the result that I would expect. Sendresults groups the rows to be sent based on the final value of the emailto field when the command is run and the recipients in the emailto field will get those rows. So if some rows have emailA and emailB but some rows only have emailA, then emailA will get two emails. The one that has rows in which the email_to was only emailA and an email with the rows that were emailA and emailB Hopefully that makes sense.