Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send email to multiple recipients using map command with Python3?

ips_mandar
Builder
‎05-25-2020 01:41 AM

Hi,
I am using splunk 8.0.1 on windows OS with Python3.
With help of @woodcock answer from https://answers.splunk.com/answers/489475/how-configure-an-alert-to-send-an-email-based-on-f.html
I was trying below search-

 Your Base Search Here
 | outputlookup MyTempLookup.csv
 | stats count by EmailContact
 | map maxsearches=9999 search="|inputlookup MyTempLookup.csv
                                | search EmailContact=$EmailContact$
                                | sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"

But the search is returning results but it is not sending any mail. and when I checked internal logs below error I observed-

ERROR   sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
    results = sendEmail(results, settings, keywords, argvals)
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
    jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
  File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action

Note- If I try using only sendemail command then it is working and I am able to receive email.
Is there anything needs to be modified in sendemail.py command for python3.

Below sample query I tried but it is not sending any email-

 index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
  | outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
     | fields - EmailContact
     | sendemail
        sendresults=true inline=true
               to=\"$emailToHeader$\"
        subject=\"Your Subject here: \"
        message=\"This report alert was generated by \$app\$ Splunk with this search string: \"

Any idea what mistake I am doing in above query.
Thanks.

Labels (1)
Labels
0 Karma
Reply

sirajnp
Path Finder
‎06-30-2021 12:29 AM

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma
Reply

wangjianiu
Explorer
‎06-30-2021 12:53 AM

for each result would send many emails to one receiver, and we want send subset result to different user, so this may not help

0 Karma
Reply

sirajnp
Path Finder
‎06-30-2021 12:55 AM

Just use a stats by email address at the end. Then will have only one email per recipient.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎05-01-2021 10:04 PM

Would the sendresults app on SplunkBase work for this issue?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

wangjianiu
Explorer
‎05-06-2021 12:30 AM

it could work sometimes, but it does not support CSV attachment, a larger table in an email is not good, better to find why we have the authentication issue and use the Splunk sendemail 

0 Karma
Reply

splunkyfun12721
Loves-to-Learn Lots
‎03-19-2021 10:41 AM

I'd assume you are using the MAP command to send email per each event from your base search, since I found that you can simply use the sendemail command in your main search without using MAP command.

I found the following SPL works when using MAP with sendemail inside.

... your base search ...
| table emailaddress ...
| map search="|makeresults |sendemail to="$emailaddress$" from="me@sample.com" incline=true sendresults=true subject=mysubject message=mymessage"
0 Karma
Reply

wangjianiu
Explorer
‎04-29-2021 11:06 PM

i am a admin user and follow the similar query, but I got "sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action" when run sentemail inside the map command, the email could be send if I run it seprartely. do you know how to avoid this?

 

0 Karma
Reply

ips_mandar
Builder
‎05-25-2020 03:47 AM

One thing I noticed that it's not related to python3 since it is also not working for python2.
Is there any way by which I can send email to multiple recepients as per condition

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...