How do I send emails to different groups based on search result contents for host field?

I execute a search and, from the search results, if the host contains hostA, I want to send email to groupA. If it contains hostB then I want to send an email to hostB. Sometimes the search results can contain both hostA and hostB in which case I want to send email to both groupA and groupB.

0 Karma


I am making one assumption:
1. In the second condition you have provided, your host values are comma delimited (when they both come together).

Going by this assumption, I suggest you use a lookup to prepopulate the email ids based on host names and then call another splunk command sendemail. Here is a sample one:

| makeresults 
| eval host="a,b" 
| makemv host delim=","
| mvexpand host| lookup emaillist host as HOST OUTPUT email as EMAIL| sendemail to=EMAIL

Here even if your host value is only a or only b, it should still work. Lookup helps you managing the email ids without touching the query. However, you can also put some if-else logic in the query to get this done. But that may require changes in query, even if you want to update any spelling.

Let me know if this helps.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!