Reporting

How to send email to multiple recipients using map command with Python3?

ips_mandar
Builder

Hi,
I am using splunk 8.0.1 on windows OS with Python3.
With help of @woodcock answer from https://answers.splunk.com/answers/489475/how-configure-an-alert-to-send-an-email-based-on-f.html
I was trying below search-

 Your Base Search Here
 | outputlookup MyTempLookup.csv
 | stats count by EmailContact
 | map maxsearches=9999 search="|inputlookup MyTempLookup.csv
                                | search EmailContact=$EmailContact$
                                | sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"

But the search is returning results but it is not sending any mail. and when I checked internal logs below error I observed-

ERROR   sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
    results = sendEmail(results, settings, keywords, argvals)
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
    jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
  File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action

Note- If I try using only sendemail command then it is working and I am able to receive email.
Is there anything needs to be modified in sendemail.py command for python3.

Below sample query I tried but it is not sending any email-

 index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
  | outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
     | fields - EmailContact
     | sendemail
        sendresults=true inline=true
               to=\"$emailToHeader$\"
        subject=\"Your Subject here: \"
        message=\"This report alert was generated by \$app\$ Splunk with this search string: \"

Any idea what mistake I am doing in above query.
Thanks.

Labels (1)
0 Karma

sirajnp
Path Finder

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma

wangjianiu
Explorer

for each result would send many emails to one receiver, and we want send subset result to different user, so this may not help

0 Karma

sirajnp
Path Finder

Just use a stats by email address at the end. Then will have only one email per recipient.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Would the sendresults app on SplunkBase work for this issue?

0 Karma

wangjianiu
Explorer

it could work sometimes, but it does not support CSV attachment, a larger table in an email is not good, better to find why we have the authentication issue and use the Splunk sendemail 

0 Karma

splunkyfun12721
Loves-to-Learn Lots

I'd assume you are using the MAP command to send email per each event from your base search, since I found that you can simply use the sendemail command in your main search without using MAP command.

I found the following SPL works when using MAP with sendemail inside.

... your base search ...
| table emailaddress ...
| map search="|makeresults |sendemail to="$emailaddress$" from="me@sample.com" incline=true sendresults=true subject=mysubject message=mymessage"
0 Karma

wangjianiu
Explorer

i am a admin user and follow the similar query, but I got "sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action" when run sentemail inside the map command, the email could be send if I run it seprartely. do you know how to avoid this?

 

0 Karma

ips_mandar
Builder

One thing I noticed that it's not related to python3 since it is also not working for python2.
Is there any way by which I can send email to multiple recepients as per condition

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...