Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send report to different user based on SPLUNK query

twtyj
New Member
‎06-28-2018 01:28 AM

I have a SPLUNK query that generate following table:

User_Name Number recipient
user_a 10 user_a@mail.com
user_b 20 user_b@mail.com
user_c 30 user_c@mail.com

how can i achieve for each recipient only receive email contains its records? like user_a@mail.com only receive following:
User_Name Number
user_a 10

Thanks.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 08:38 AM

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputlookup TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputlookup TempFile.csv]
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-28-2018 06:17 PM

sendresults may help here

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

MuS
Legend
‎06-28-2018 06:29 PM

Indeed this is the right command to do such a thing, here is an example :

Base search here 
| map search="| sendemail to=$recipient$ subject="words here" from=splunk@company.com message="We have this $Number$ for you""

Here are more examples https://answers.splunk.com/answers/186045/how-can-i-use-a-combination-of-map-and-sendemail-t.html

cheers, MuS

Reply

twtyj
New Member
‎06-28-2018 07:42 PM

Hi Mus,

I try your query but failed, the result is empty.

0 Karma
Reply

MuS
Legend
‎07-01-2018 05:58 PM

Hi there, well you need to adapt the example to match your fields in the events 😉

cheers, MuS

0 Karma
Reply

Sukisen1981
Champion
‎06-28-2018 04:44 AM

Hi, yo ucan sort of roundabout implement this through alerts

http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Emailnotification
This allows you to pass the To field dynamically through the $result.recipient$ token
Now,assuming that there is only 1 unique row per email address, you can set up an alert to run for each search result AND pass the 'TO' email address dynamically. I am sure you have access to the alert documentation, it is worth a try

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...