I want to be able to email results to recipients where the recipient email address is PART of the result set.
For example, lets assume the following is my result set in Splunk.
Now I want to have Splunk send an automated email for EACH RESULT where the recipient of the email is the value of the "Email_Address" field.
I.E: Email 1 contains results from row 1 ONLY and the recipient of that email is jon.snow@got.com, etc.
I am pretty sure it is not possible in native Splunk but I am curious to know if anyone has come up with a custom solution.
You can use tokens to pass "TO:" in email notifications.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions
$Email_Address$
If you need to send a contextually-approrpriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL directly:
... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
| fields - Email_Address
| sendemail
sendresults=true inline=true
server=\"Your.Value.Here\"
from=\"Your.Value.Here\"
to=\"$emailToHeader$\"
subject=\"Your Subject here: \$name\$\"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| search ThisFieldWillNeverExist="SoThisCommandWillDropAllEventsSoThatYouCanPullInTheOriginalSetWhichYouMightOrMightNotCareToDo"
| appendpipe [|inputcsv TempFile.csv]
The only downside to this approach is that If the search does not return any results it will produce the following error:
"Error in "map": Did not find value for required attributes 'emailToHeader'
This is "normal" and I have not found a good way to code around it.
Hi @woodcock.
This is very helpful, and somewhat of a game changer in sending dynamic alerts from Splunk. Thank you!
I did have a quick question about outputcsv.
From what I've read, outputlookup writes to a lookup file that replicates across a search head cluster, while outputcsv just writes a CSV in the current search head's var/run directory. I'm looking to have this result dataset NOT be persistent. Do you have any recommendations about creating a result dataset for the map command that will age out after the search is run, or some configurable time after?
Hi @woodcock ,
By using your solution, it wll send email event "no found results" because of map command. How to stop sending email when thery are empty?
Thanks
| inputlookup mail.csv | fields adresse_mail | map search="|savedsearch abc | where Adresse_mail=\"$adresse_mail$\" |fields - Adresse_mail
|sendemail to=\"$adresse_mail$\" subject=...
Hi Woodcock, Do you have a solution without using sendemail commend but can parse the token to the alert by email.
Great solution with |sendemail
I got around the error for no results by adding the following immediately before the map command
|append [|makeresults |eval ]
e.g. |append [|makeresutls |eval emailToHeader=""]
I also added "graceful=true" to the sendemail command to ignore errors about trying to send an email with no "to"
Yes, I also found a solution to the empty map
problem later on.
You can use tokens to pass "TO:" in email notifications.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions
$Email_Address$
Not sure how this answers the question.
what's the SPL for sending multiple emails with recipients based on fields in the result set with the data that is relevant for each user?
SPL for sending email based on email address value in the result:
<base search>
| table User Email_Address
| sendemail to=$result.Email_Address$ subject=$result.User$ ...
https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens#Result_tokens
I believe you need $results.Email_Address$
Thanks Jenson
Thanks Jenson!