Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send individual emails that appear in the search results

pavaninpdl
New Member
‎04-30-2018 04:11 AM

Hi team,

I have search results with CUID is the email(I will append my company domain to CUID, so that mail will go to person) and attached the sample result for the same .How to send the individual emails for all the users along with server name.

I have used send mail command , but it is sending only one mail to the user appear in the first result. I need to send mail to all the users that appears in the list.

alt text
Please help me on this.

Tags (1)
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎04-30-2018 11:39 AM

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]
0 Karma
Reply

sirajnp
Path Finder
‎06-30-2021 12:29 AM

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma
Reply

somesoni2
Revered Legend
‎04-30-2018 10:55 AM

You can use the map command along with the sendemail command, like this

your current search with all the fields mentioned in the screenshot
| map maxsearch=1000 search="| gentimes start=-1 | eval HOSTNM=\"$HOSTNM$\" |..other fields | sendmail to=\"$CUID$\" ..."
0 Karma
Reply

pradeepkumarg
Influencer
‎04-30-2018 10:48 AM

Did you try the map command?,

Look at below answer
https://answers.splunk.com/answers/627366/sending-emails-to-users-that-appear-in-search-resu.html

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...