Reporting

How to send email to multiple recipients using map command with Python3?

ips_mandar
Builder

Hi,
I am using splunk 8.0.1 on windows OS with Python3.
With help of @woodcock answer from https://answers.splunk.com/answers/489475/how-configure-an-alert-to-send-an-email-based-on-f.html
I was trying below search-

 Your Base Search Here
 | outputlookup MyTempLookup.csv
 | stats count by EmailContact
 | map maxsearches=9999 search="|inputlookup MyTempLookup.csv
                                | search EmailContact=$EmailContact$
                                | sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"

But the search is returning results but it is not sending any mail. and when I checked internal logs below error I observed-

ERROR   sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
    results = sendEmail(results, settings, keywords, argvals)
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
    jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
  File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action

Note- If I try using only sendemail command then it is working and I am able to receive email.
Is there anything needs to be modified in sendemail.py command for python3.

Below sample query I tried but it is not sending any email-

 index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
  | outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
     | fields - EmailContact
     | sendemail
        sendresults=true inline=true
               to=\"$emailToHeader$\"
        subject=\"Your Subject here: \"
        message=\"This report alert was generated by \$app\$ Splunk with this search string: \"

Any idea what mistake I am doing in above query.
Thanks.

Labels (1)
0 Karma

splunkyfun12721
Loves-to-Learn Lots

I'd assume you are using the MAP command to send email per each event from your base search, since I found that you can simply use the sendemail command in your main search without using MAP command.

I found the following SPL works when using MAP with sendemail inside.

... your base search ...
| table emailaddress ...
| map search="|makeresults |sendemail to="$emailaddress$" from="me@sample.com" incline=true sendresults=true subject=mysubject message=mymessage"
0 Karma

ips_mandar
Builder

One thing I noticed that it's not related to python3 since it is also not working for python2.
Is there any way by which I can send email to multiple recepients as per condition

0 Karma