Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: How to get Splunk sendemail command to send mu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cheers @ all splunker,
one more question of this topic. (How to get Splunk sendemail command to send multiple emails based on search results)
I read a lot of stuff & take a lot of time but without success.
why the following search sent only to TO Emailladress and the first Emailadress of searchresult.
the goal is that all email recipient from search got an email.
could please someone assit?
SplunkCore V6.3.1
Search:
sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1
| sendemail to=$result.bcc$ cc=some@email.de format=html subject="short discription" from=other.e@mail.de priority=highest footer="text" server=smtp.1234.de sendresults=false
the table result as aspected, the cc_all field has a lot of emailadreses to sent
5/12/16 2:45:27.404 PM
2016-05-12 14:45:27,404 +0200 INFO sendemail:112 - Sending email. subject="short discription", results_link="None", recipients="[u'thxxog@cxxe.de', u'first@result.email.adresse']", server="smtp.1234.de"
source = /opt/splunk/var/log/splunk/python.log
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1 | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 | sendemail to=$bcc$ cc=some@email.de format=html subject=\"short discription\" from=other.e@mail.de priority=highest footer=\"text\" server=smtp.1234.de sendresults=false"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's pretty simple. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ and select trigger "for each result". Email will be send to the respective email address for each line of result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2,
great job this works perfekt for me.
there was on typo "| sendemail to=$bcc$" it must be | sendemail to=$cc_all$
what exactly means "map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 "
could you please explain one more?
Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1 | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 | sendemail to=$bcc$ cc=some@email.de format=html subject=\"short discription\" from=other.e@mail.de priority=highest footer=\"text\" server=smtp.1234.de sendresults=false"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2,
great JOB!
thre was on typo, "| sendemail to=$cc_all$" and it will work perfectly.
could you please explaine on more detail what " | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 |" means?
Thanks a lot
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
