Reporting

How to send report to different user based on SPLUNK query

twtyj
New Member

I have a SPLUNK query that generate following table:

User_Name Number recipient
user_a 10 user_a@mail.com
user_b 20 user_b@mail.com
user_c 30 user_c@mail.com

how can i achieve for each recipient only receive email contains its records? like user_a@mail.com only receive following:
User_Name Number
user_a 10

Thanks.

Tags (1)
0 Karma

woodcock
Esteemed Legend

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputlookup TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputlookup TempFile.csv]
0 Karma

gjanders
SplunkTrust
SplunkTrust

MuS
SplunkTrust
SplunkTrust

Indeed this is the right command to do such a thing, here is an example :

Base search here 
| map search="| sendemail to=$recipient$ subject="words here" from=splunk@company.com message="We have this $Number$ for you""

Here are more examples https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html

cheers, MuS

twtyj
New Member

Hi Mus,

I try your query but failed, the result is empty.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi there, well you need to adapt the example to match your fields in the events 😉

cheers, MuS

0 Karma

Sukisen1981
Champion

Hi, yo ucan sort of roundabout implement this through alerts

http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Emailnotification
This allows you to pass the To field dynamically through the $result.recipient$ token
Now,assuming that there is only 1 unique row per email address, you can set up an alert to run for each search result AND pass the 'TO' email address dynamically. I am sure you have access to the alert documentation, it is worth a try

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...