Reporting

How to dynamically email users about maintenance windows on our search head servers via CLI?

pedroponchio
Explorer

Hello all,

I'm very new to Splunk. There are multiple servers and multiple users here. I figure how to retrieve all of their emails by running:

| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /,/g"

and I want to be able to dynamically find what are the registered users on the server and send one email to all (using bcc) alerting about a maintenance window for that server, from the command line. I would like something like this to work:

 sendemail [ | rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC 
| nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC]
subject="Splunk Server $servername$ Maintenance Notice"
message="Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00."
inline=true server=localhost sendresults=false"

but from the command line. How do I do that? The idea is to be able to alert all users before a maintenance takes place, which would prevent them to log to the Search Head and eventually get that from the UI messages function. Thank you very much.

somesoni2
SplunkTrust
SplunkTrust

You can create a saved search like this

| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC 
 | nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC 
| map maxsearches=1000 search="| gentimes start=-1 | sendemail bcc=\"$BCC$\"
 subject=\"Splunk Server $servername$ Maintenance Notice\"
 message=\"Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00.\"
 inline=true server=localhost sendresults=false"

and run this saved search from command like like this

./splunk search "| savedsearch yoursavessearchName"

pedroponchio
Explorer

I'm now using the parameter roles to filter out better which are the users that are supposed to get an email:

| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | where roles = "can_login_user" | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /, /g"

If I could check for its LDAP groups (at AD), I would solve my problem. Can Splunk do that?

0 Karma

pedroponchio
Explorer

Thank you! I realized that I need to filter out the users that has access to the particular search head that I need to take into maintenance. How could I filter by the AD groups that the users belongs to? We assing the user to a group named G_, so if I could match the security group with the search head hostname, I could send the email only to the people that has access to it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...