Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sendresults in Splunk Alert

rchakka
New Member
‎06-27-2018 04:55 PM

can we use sendresults command in a splunk alert ?

for example,i am creating an alert to trigger email via sendresults when a specific condition is triggered

"my query"| eval email_to="abc@123.com"
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

Note: the email is generated when i perform the search ,but it is not working when used in the alert

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2018 07:37 AM

Yes, but you have control over your saved search; you can set it to Run as owner or Run as user. Obviously, the permissions vary user-to-user. Make sure that it runs for you, then you have a choice to make: give everyone enough permissions so they can run it, too, or have it Run as owner.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-27-2018 05:40 PM

For alerts we use sendalert. It’s a little different.

But if you just save the search as an alert, splunk will do that for you.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-27-2018 05:41 PM

Save as alert without sendemail command that is. Then add a trigger condition and make it send an email as the action.

0 Karma
Reply

rchakka
New Member
‎06-28-2018 03:27 AM

thanks for the response.

what if the email is variable field?

for example
"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-28-2018 05:41 AM

See this article and change the version to your correct splunk version:

https://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/EmailNotificationTokens

In 7.1.1 for example you’d use $result.fieldName$ in your email subject, to/cc/bcc, body,
Etc

0 Karma
Reply

rchakka
New Member
‎06-29-2018 06:24 AM

"my query"| eval email_to=$test$
| sendresults showemail=f subject=" Password Changed alert" body="The password on your Network account has changed. If you did not initiate this change, please contact your system administrator."

I used in the alert email field

TO $result.test$

but still no luck with email. note: the query is working fine.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-29-2018 06:35 AM

Where is $test$ coming from? Drop down menus or fields in the data?

0 Karma
Reply

rchakka
New Member
‎07-03-2018 09:43 AM

fields in the data from my search

0 Karma
Reply

rchakka
New Member
‎07-18-2018 06:20 AM

Identified an issue with realtime alerting .the alert is triggering first time only when we use variable field in send mail to field. Anyone with similar issues? i am using splunk cloud? thank you all.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...