Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send report to different user based on SPLUNK query

twtyj
New Member
‎06-28-2018 01:28 AM

I have a SPLUNK query that generate following table:

User_Name Number recipient
user_a 10 user_a@mail.com
user_b 20 user_b@mail.com
user_c 30 user_c@mail.com

how can i achieve for each recipient only receive email contains its records? like user_a@mail.com only receive following:
User_Name Number
user_a 10

Thanks.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 08:38 AM

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputlookup TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputlookup TempFile.csv]
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-28-2018 06:17 PM

sendresults may help here

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

MuS
Legend
‎06-28-2018 06:29 PM

Indeed this is the right command to do such a thing, here is an example :

Base search here 
| map search="| sendemail to=$recipient$ subject="words here" from=splunk@company.com message="We have this $Number$ for you""

Here are more examples https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html

cheers, MuS

Reply

twtyj
New Member
‎06-28-2018 07:42 PM

Hi Mus,

I try your query but failed, the result is empty.

0 Karma
Reply

MuS
Legend
‎07-01-2018 05:58 PM

Hi there, well you need to adapt the example to match your fields in the events 😉

cheers, MuS

0 Karma
Reply

Sukisen1981
Champion
‎06-28-2018 04:44 AM

Hi, yo ucan sort of roundabout implement this through alerts

http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Emailnotification
This allows you to pass the To field dynamically through the $result.recipient$ token
Now,assuming that there is only 1 unique row per email address, you can set up an alert to run for each search result AND pass the 'TO' email address dynamically. I am sure you have access to the alert documentation, it is worth a try

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top