Reporting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send email to multiple recipients using map command with Python3?

ips_mandar
Builder
‎05-25-2020 01:41 AM

Hi,
I am using splunk 8.0.1 on windows OS with Python3.
With help of @woodcock answer from https://answers.splunk.com/answers/489475/how-configure-an-alert-to-send-an-email-based-on-f.html
I was trying below search-

 Your Base Search Here
 | outputlookup MyTempLookup.csv
 | stats count by EmailContact
 | map maxsearches=9999 search="|inputlookup MyTempLookup.csv
                                | search EmailContact=$EmailContact$
                                | sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"

But the search is returning results but it is not sending any mail. and when I checked internal logs below error I observed-

ERROR   sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
    results = sendEmail(results, settings, keywords, argvals)
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
    jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
  File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action

Note- If I try using only sendemail command then it is working and I am able to receive email.
Is there anything needs to be modified in sendemail.py command for python3.

Below sample query I tried but it is not sending any email-

 index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
  | outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
     | fields - EmailContact
     | sendemail
        sendresults=true inline=true
               to=\"$emailToHeader$\"
        subject=\"Your Subject here: \"
        message=\"This report alert was generated by \$app\$ Splunk with this search string: \"

Any idea what mistake I am doing in above query.
Thanks.

0 Karma
Reply

sirajnp
Path Finder
‎06-30-2021 12:29 AM

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma
Reply

wangjianiu
Explorer
‎06-30-2021 12:53 AM

for each result would send many emails to one receiver, and we want send subset result to different user, so this may not help

0 Karma
Reply

sirajnp
Path Finder
‎06-30-2021 12:55 AM

Just use a stats by email address at the end. Then will have only one email per recipient.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎05-01-2021 10:04 PM

Would the sendresults app on SplunkBase work for this issue?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

wangjianiu
Explorer
‎05-06-2021 12:30 AM

it could work sometimes, but it does not support CSV attachment, a larger table in an email is not good, better to find why we have the authentication issue and use the Splunk sendemail 

0 Karma
Reply

splunkyfun12721
Loves-to-Learn Lots
‎03-19-2021 10:41 AM

I'd assume you are using the MAP command to send email per each event from your base search, since I found that you can simply use the sendemail command in your main search without using MAP command.

I found the following SPL works when using MAP with sendemail inside.

... your base search ...
| table emailaddress ...
| map search="|makeresults |sendemail to="$emailaddress$" from="me@sample.com" incline=true sendresults=true subject=mysubject message=mymessage"
0 Karma
Reply

wangjianiu
Explorer
‎04-29-2021 11:06 PM

i am a admin user and follow the similar query, but I got "sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action" when run sentemail inside the map command, the email could be send if I run it seprartely. do you know how to avoid this?

 

0 Karma
Reply

ips_mandar
Builder
‎05-25-2020 03:47 AM

One thing I noticed that it's not related to python3 since it is also not working for python2.
Is there any way by which I can send email to multiple recepients as per condition

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top