Reporting

How to get Splunk sendemail command to send multiple emails based on search results 2016

ThomasControlw1
Explorer

cheers @ all splunker,

one more question of this topic. (How to get Splunk sendemail command to send multiple emails based on search results)
I read a lot of stuff & take a lot of time but without success.
why the following search sent only to TO Emailladress and the first Emailadress of searchresult.
the goal is that all email recipient from search got an email.

could please someone assit?

SplunkCore V6.3.1
Search:
sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1
| sendemail to=$result.bcc$ cc=some@email.de format=html subject="short discription" from=other.e@mail.de priority=highest footer="text" server=smtp.1234.de sendresults=false

the table result as aspected, the cc_all field has a lot of emailadreses to sent

5/12/16 2:45:27.404 PM

2016-05-12 14:45:27,404 +0200 INFO sendemail:112 - Sending email. subject="short discription", results_link="None", recipients="[u'thxxog@cxxe.de', u'first@result.email.adresse']", server="smtp.1234.de"
source = /opt/splunk/var/log/splunk/python.log

thanks in advance

1 Solution

somesoni2
Revered Legend

Give this a try

sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1 | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 | sendemail to=$bcc$ cc=some@email.de format=html subject=\"short discription\" from=other.e@mail.de priority=highest footer=\"text\" server=smtp.1234.de sendresults=false"

View solution in original post

sirajnp
Path Finder

It's pretty simple. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma

sirajnp
Path Finder

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ and select trigger "for each result". Email will be send to the respective email address for each line of result.

0 Karma

ThomasControlw1
Explorer

Hi somesoni2,
great job this works perfekt for me.
there was on typo "| sendemail to=$bcc$" it must be | sendemail to=$cc_all$
what exactly means "map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 "

could you please explain one more?
Thanks a lot

0 Karma

somesoni2
Revered Legend

Give this a try

sourcetype=Authenticator user="*" action=Authentication status=Success
| eval username =lower(user)
| stats latest(_time) as Login by username
| eval tnow =now()
| eval diff =tnow - Login
| convert ctime(Login)
| convert ctime(tnow)
| eval diff1 = strftime(diff,"%j")
| join [ inputlookup userauth.csv
| rename "# username" as username ]
| eval cc_all=mvjoin(email, ",")
| where diff1 > 90
| table "first name" "last name" Login username "email" "mobile number" "diff1" cc_all
| sort diff1 | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 | sendemail to=$bcc$ cc=some@email.de format=html subject=\"short discription\" from=other.e@mail.de priority=highest footer=\"text\" server=smtp.1234.de sendresults=false"

ThomasControlw1
Explorer

Hi somesoni2,
great JOB!
thre was on typo, "| sendemail to=$cc_all$" and it will work perfectly.
could you please explaine on more detail what " | map maxsearches=PutAnIntegerNumberHere search="| gentimes start=-1 |" means?

Thanks a lot

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...