Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: How to dynamically email users about maintenan...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to dynamically email users about maintenance windows on our search head servers via CLI?
Hello all,
I'm very new to Splunk. There are multiple servers and multiple users here. I figure how to retrieve all of their emails by running:
| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /,/g"
and I want to be able to dynamically find what are the registered users on the server and send one email to all (using bcc) alerting about a maintenance window for that server, from the command line. I would like something like this to work:
sendemail [ | rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC
| nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC]
subject="Splunk Server $servername$ Maintenance Notice"
message="Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00."
inline=true server=localhost sendresults=false"
but from the command line. How do I do that? The idea is to be able to alert all users before a maintenance takes place, which would prevent them to log to the Search Head and eventually get that from the UI messages function. Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a saved search like this
| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC
| nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC
| map maxsearches=1000 search="| gentimes start=-1 | sendemail bcc=\"$BCC$\"
subject=\"Splunk Server $servername$ Maintenance Notice\"
message=\"Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00.\"
inline=true server=localhost sendresults=false"
and run this saved search from command like like this
./splunk search "| savedsearch yoursavessearchName"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm now using the parameter roles to filter out better which are the users that are supposed to get an email:
| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | where roles = "can_login_user" | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /, /g"
If I could check for its LDAP groups (at AD), I would solve my problem. Can Splunk do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! I realized that I need to filter out the users that has access to the particular search head that I need to take into maintenance. How could I filter by the AD groups that the users belongs to? We assing the user to a group named G_, so if I could match the security group with the search head hostname, I could send the email only to the people that has access to it.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
