Reporting

Creating a List of Email Addresses and performing a search loop

New Member

Pretty new to Splunk and looking for advice.
I’ve tried reviewing subsearches, map and foreach looping but I just can’t crack the syntax.
I have two indexes, one that stores computer hostname, ip, and a tag for a contact email.
The other index is scan data regarding missing patches by ip

Index=hostnames 
Hostname     ip_address Contact
Hostname1  192.x.x.1     Email1
Hostname2  192.x.x.2     Email2
Hostname3  192.x.x.3     Email3
Hostname4  192.x.x.4     Email4
Hostname5  192.x.x.5     Email2
Hostname6  192.x.x.6     Email3

Index=scandata
Ip             scanfindingname    scanfindingdescription
192.x.x.4   java-blah                   java-blah
192.x.x.2   java-blah                   java-blah
192.x.x.2   java-blah2                 java-blah2 

I have figured out how to get the search with a join ip to ip_address to display a table with a stats count hostname, ip, and contact email to show the hostname and total amount of findings.

Table where Contact=Email2:
Hostname       IP                   Contact       Count
Hostname2     192.x.x.2           Email2         2
Hostname5     192.x.x.5           Email2         1

I cannot figure out how to create an automated email for each email address from the hostnames index.
It's essentially 3 queries.

  1. Get list of email addresses from contact field in hostname index (dedup contact) [Email1, Email2, Email3]
  2. Find Scan data by ip and grab the hostname and total found by hostname where contact = $Email$
  3. Email table to $Email$ Any advice is appreciated.
Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Hi @ShawnWarner7,

so you mean you want to create an alert that sends out an email to an email address that was found in the events.
Interesting approach, not sure if it works, but you could set the alert trigger conditions to "for each event" and try to set an "send email" alert action.

You could then try to write the following in the email field:

$results.Email$

Maybe that works?

0 Karma