Hello all,
I'm very new to Splunk. There are multiple servers and multiple users here. I figure how to retrieve all of their emails by running:
| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /,/g"
and I want to be able to dynamically find what are the registered users on the server and send one email to all (using bcc) alerting about a maintenance window for that server, from the command line. I would like something like this to work:
sendemail [ | rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC
| nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC]
subject="Splunk Server $servername$ Maintenance Notice"
message="Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00."
inline=true server=localhost sendresults=false"
but from the command line. How do I do that? The idea is to be able to alert all users before a maintenance takes place, which would prevent them to log to the Search Head and eventually get that from the UI messages function. Thank you very much.
You can create a saved search like this
| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC
| nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC
| map maxsearches=1000 search="| gentimes start=-1 | sendemail bcc=\"$BCC$\"
subject=\"Splunk Server $servername$ Maintenance Notice\"
message=\"Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00.\"
inline=true server=localhost sendresults=false"
and run this saved search from command like like this
./splunk search "| savedsearch yoursavessearchName"
I'm now using the parameter roles to filter out better which are the users that are supposed to get an email:
| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | where roles = "can_login_user" | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /, /g"
If I could check for its LDAP groups (at AD), I would solve my problem. Can Splunk do that?
Thank you! I realized that I need to filter out the users that has access to the particular search head that I need to take into maintenance. How could I filter by the AD groups that the users belongs to? We assing the user to a group named G_, so if I could match the security group with the search head hostname, I could send the email only to the people that has access to it.