Reporting

How to dynamically email users about maintenance windows on our search head servers via CLI?

Explorer

Hello all,

I'm very new to Splunk. There are multiple servers and multiple users here. I figure how to retrieve all of their emails by running:

| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /,/g"

and I want to be able to dynamically find what are the registered users on the server and send one email to all (using bcc) alerting about a maintenance window for that server, from the command line. I would like something like this to work:

 sendemail [ | rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC 
| nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC]
subject="Splunk Server $servername$ Maintenance Notice"
message="Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00."
inline=true server=localhost sendresults=false"

but from the command line. How do I do that? The idea is to be able to alert all users before a maintenance takes place, which would prevent them to log to the Search Head and eventually get that from the UI messages function. Thank you very much.

SplunkTrust
SplunkTrust

You can create a saved search like this

| rest splunk_server=local /servicesNS/-/-/authentication/users count=0 | fields email | stats values(email) as BCC 
 | nomv BCC | rex mode=sed field=BCC "s/ /,/g" | fields BCC 
| map maxsearches=1000 search="| gentimes start=-1 | sendemail bcc=\"$BCC$\"
 subject=\"Splunk Server $servername$ Maintenance Notice\"
 message=\"Splunk Server $servername$ will be under maintenance from 2015-08-27 00:00 to 2015-08-27 03:00.\"
 inline=true server=localhost sendresults=false"

and run this saved search from command like like this

./splunk search "| savedsearch yoursavessearchName"

Explorer

I'm now using the parameter roles to filter out better which are the users that are supposed to get an email:

| rest splunkserver=local /servicesNS/-/-/authentication/users count=0 | where roles = "canlogin_user" | fields email | stats values(email) as BCC | nomv BCC | rex mode=sed field=BCC "s/ /, /g"

If I could check for its LDAP groups (at AD), I would solve my problem. Can Splunk do that?

0 Karma

Explorer

Thank you! I realized that I need to filter out the users that has access to the particular search head that I need to take into maintenance. How could I filter by the AD groups that the users belongs to? We assing the user to a group named G_, so if I could match the security group with the search head hostname, I could send the email only to the people that has access to it.

0 Karma