Reporting

How to get Splunk sendemail command to send multiple emails based on search results 2016

ThomasControlw1
Explorer

cheers @ all splunker,

one more question of this topic. (How to get Splunk sendemail command to send multiple emails based on search results)
I read a lot of stuff & take a lot of time but without success.
why the following search sent only to TO Emailladress and the first Emailadress of searchresult.
the goal is that all email recipient from search got an email.

could please someone assit?

SplunkCore V6.3.1
Search:
sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1
| sendemail to=$result.bcc$ cc=some@email.de format=html subject="short discription" from=other.e@mail.de priority=highest footer="text" server=smtp.1234.de sendresults=false

the table result as aspected, the cc_all field has a lot of emailadreses to sent

5/12/16 2:45:27.404 PM

2016-05-12 14:45:27,404 +0200 INFO sendemail:112 - Sending email. subject="short discription", results_link="None", recipients="[u'thxxog@cxxe.de', u'first@result.email.adresse']", server="smtp.1234.de"
source = /opt/splunk/var/log/splunk/python.log

thanks in advance

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1 | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 | sendemail to=$bcc$ cc=some@email.de format=html subject=\"short discription\" from=other.e@mail.de priority=highest footer=\"text\" server=smtp.1234.de sendresults=false"

View solution in original post

sirajnp
Path Finder

It's pretty simple. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma

sirajnp
Path Finder

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ and select trigger "for each result". Email will be send to the respective email address for each line of result.

0 Karma

ThomasControlw1
Explorer

Hi somesoni2,
great job this works perfekt for me.
there was on typo "| sendemail to=$bcc$" it must be | sendemail to=$cc_all$
what exactly means "map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 "

could you please explain one more?
Thanks a lot

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1 | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 | sendemail to=$bcc$ cc=some@email.de format=html subject=\"short discription\" from=other.e@mail.de priority=highest footer=\"text\" server=smtp.1234.de sendresults=false"

ThomasControlw1
Explorer

Hi somesoni2,
great JOB!
thre was on typo, "| sendemail to=$cc_all$" and it will work perfectly.
could you please explaine on more detail what " | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 |" means?

Thanks a lot

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...