Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How to send report to different user based on SPLUNK query

twtyj
New Member
โ€Ž06-28-2018 01:28 AM

I have a SPLUNK query that generate following table:

UserName Number recipient
usera 10 usera@mail.com
userb 20 userb@mail.com
userc 30 user_c@mail.com

how can i achieve for each recipient only receive email contains its records? like usera@mail.com only receive following:
UserName Number
user_a 10

Thanks.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
โ€Ž06-30-2018 08:38 AM

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputlookup TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputlookup TempFile.csv]
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
โ€Ž06-28-2018 06:17 PM

sendresults may help here

Reply

MuS
SplunkTrust
SplunkTrust
โ€Ž06-28-2018 06:29 PM

Indeed this is the right command to do such a thing, here is an example :

Base search here 
| map search="| sendemail to=$recipient$ subject="words here" from=splunk@company.com message="We have this $Number$ for you""

Here are more examples https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html

cheers, MuS

Reply

twtyj
New Member
โ€Ž06-28-2018 07:42 PM

Hi Mus,

I try your query but failed, the result is empty.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
โ€Ž07-01-2018 05:58 PM

Hi there, well you need to adapt the example to match your fields in the events ๐Ÿ˜‰

cheers, MuS

0 Karma
Reply

Sukisen1981
Champion
โ€Ž06-28-2018 04:44 AM

Hi, yo ucan sort of roundabout implement this through alerts

http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Emailnotification
This allows you to pass the To field dynamically through the $result.recipient$ token
Now,assuming that there is only 1 unique row per email address, you can set up an alert to run for each search result AND pass the 'TO' email address dynamically. I am sure you have access to the alert documentation, it is worth a try

0 Karma
Reply