Reporting

Send emailed results to an email address IN the results.

jdunlea
Path Finder

I want to be able to email results to recipients where the recipient email address is PART of the result set.

For example, lets assume the following is my result set in Splunk.

alt text

Now I want to have Splunk send an automated email for EACH RESULT where the recipient of the email is the value of the "Email_Address" field.

I.E: Email 1 contains results from row 1 ONLY and the recipient of that email is jon.snow@got.com, etc.

I am pretty sure it is not possible in native Splunk but I am curious to know if anyone has come up with a custom solution.

0 Karma
1 Solution

jensonthottian
Contributor

You can use tokens to pass "TO:" in email notifications.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

$Email_Address$

  • Courtesy Snow is back.

View solution in original post

woodcock
Esteemed Legend

If you need to send a contextually-approrpriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL directly:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| search ThisFieldWillNeverExist="SoThisCommandWillDropAllEventsSoThatYouCanPullInTheOriginalSetWhichYouMightOrMightNotCareToDo"
| appendpipe [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error:

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

thuhuongle
Explorer

Hi @woodcock ,
By using your solution, it wll send email event "no found results" because of map command. How to stop sending email when thery are empty?
Thanks

| inputlookup mail.csv | fields adresse_mail | map search="|savedsearch abc | where Adresse_mail=\"$adresse_mail$\" |fields - Adresse_mail
|sendemail to=\"$adresse_mail$\" subject=...

0 Karma

thuhuongle
Explorer

Hi Woodcock, Do you have a solution without using sendemail commend but can parse the token to the alert by email.
Great solution with |sendemail

0 Karma

elewis1
Explorer

I got around the error for no results by adding the following immediately before the map command
|append [|makeresults |eval ]

e.g. |append [|makeresutls |eval emailToHeader=""]

I also added "graceful=true" to the sendemail command to ignore errors about trying to send an email with no "to"

woodcock
Esteemed Legend

Yes, I also found a solution to the empty map problem later on.

0 Karma

jensonthottian
Contributor

You can use tokens to pass "TO:" in email notifications.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

$Email_Address$

  • Courtesy Snow is back.

View solution in original post

AssafLowenstein
Explorer

Not sure how this answers the question.
what's the SPL for sending multiple emails with recipients based on fields in the result set with the data that is relevant for each user?

0 Karma

splunkyfun12721
Loves-to-Learn Lots

SPL for sending email based on email address value in the result:

<base search>
| table User Email_Address
| sendemail to=$result.Email_Address$ subject=$result.User$ ...

https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens#Result_tokens

0 Karma

nunoaragao
Explorer

I believe you need $results.Email_Address$

0 Karma

brothersman
New Member

Thanks Jenson

0 Karma

jdunlea
Path Finder

Thanks Jenson!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!