Reporting

How to send email to multiple recipients using map command with Python3?

ips_mandar
Builder

Hi,
I am using splunk 8.0.1 on windows OS with Python3.
With help of @woodcock answer from https://answers.splunk.com/answers/489475/how-configure-an-alert-to-send-an-email-based-on-f.html
I was trying below search-

 Your Base Search Here
 | outputlookup MyTempLookup.csv
 | stats count by EmailContact
 | map maxsearches=9999 search="|inputlookup MyTempLookup.csv
                                | search EmailContact=$EmailContact$
                                | sendemail to=\"$EmailContact$\" format=raw subject=myresults sendresults=true"

But the search is returning results but it is not sending any mail. and when I checked internal logs below error I observed-

ERROR   sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action;
Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 1421, in <module>
    results = sendEmail(results, settings, keywords, argvals)
  File "D:\Program Files\Splunk\etc\apps\search\bin\sendemail.py", line 400, in sendEmail
    jobResponseHeaders, jobResponseBody = simpleRequest(uriToJob, method='GET', getargs={'output_mode':'json'}, sessionKey=sessionKey)
  File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\rest\__init__.py", line 559, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action

Note- If I try using only sendemail command then it is working and I am able to receive email.
Is there anything needs to be modified in sendemail.py command for python3.

Below sample query I tried but it is not sending any email-

 index=_internal|stats count by sourcetype|eval EmailContact=if(sourcetype="splunkd","email@id.com","email2@id.com")
  | outputlookup MyTempLookup.csv| stats values(EmailContact) AS emailToHeader| mvexpand emailToHeader| map search="|inputlookup MyTempLookup.csv | where EmailContact=\"$emailToHeader$\"
     | fields - EmailContact
     | sendemail
        sendresults=true inline=true
               to=\"$emailToHeader$\"
        subject=\"Your Subject here: \"
        message=\"This report alert was generated by \$app\$ Splunk with this search string: \"

Any idea what mistake I am doing in above query.
Thanks.

Labels (1)
0 Karma

sirajnp
Path Finder

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma

wangjianiu
Explorer

for each result would send many emails to one receiver, and we want send subset result to different user, so this may not help

0 Karma

sirajnp
Path Finder

Just use a stats by email address at the end. Then will have only one email per recipient.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Would the sendresults app on SplunkBase work for this issue?

0 Karma

wangjianiu
Explorer

it could work sometimes, but it does not support CSV attachment, a larger table in an email is not good, better to find why we have the authentication issue and use the Splunk sendemail 

0 Karma

splunkyfun12721
Loves-to-Learn Lots

I'd assume you are using the MAP command to send email per each event from your base search, since I found that you can simply use the sendemail command in your main search without using MAP command.

I found the following SPL works when using MAP with sendemail inside.

... your base search ...
| table emailaddress ...
| map search="|makeresults |sendemail to="$emailaddress$" from="me@sample.com" incline=true sendresults=true subject=mysubject message=mymessage"
0 Karma

wangjianiu
Explorer

i am a admin user and follow the similar query, but I got "sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action" when run sentemail inside the map command, the email could be send if I run it seprartely. do you know how to avoid this?

 

0 Karma

ips_mandar
Builder

One thing I noticed that it's not related to python3 since it is also not working for python2.
Is there any way by which I can send email to multiple recepients as per condition

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...