Reporting

Send emailed results to an email address IN the results.

Path Finder

I want to be able to email results to recipients where the recipient email address is PART of the result set.

For example, lets assume the following is my result set in Splunk.

alt text

Now I want to have Splunk send an automated email for EACH RESULT where the recipient of the email is the value of the "Email_Address" field.

I.E: Email 1 contains results from row 1 ONLY and the recipient of that email is jon.snow@got.com, etc.

I am pretty sure it is not possible in native Splunk but I am curious to know if anyone has come up with a custom solution.

0 Karma
1 Solution

Contributor

You can use tokens to pass "TO:" in email notifications.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

$Email_Address$

  • Courtesy Snow is back.

View solution in original post

Esteemed Legend

If you need to send a contextually-approrpriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL directly:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| search ThisFieldWillNeverExist="SoThisCommandWillDropAllEventsSoThatYouCanPullInTheOriginalSetWhichYouMightOrMightNotCareToDo"
| appendpipe [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error:

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

Explorer

I got around the error for no results by adding the following immediately before the map command
|append [|makeresults |eval ]

e.g. |append [|makeresutls |eval emailToHeader=""]

I also added "graceful=true" to the sendemail command to ignore errors about trying to send an email with no "to"

Esteemed Legend

Yes, I also found a solution to the empty map problem later on.

0 Karma

Contributor

You can use tokens to pass "TO:" in email notifications.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

$Email_Address$

  • Courtesy Snow is back.

View solution in original post

Not sure how this answers the question.
what's the SPL for sending multiple emails with recipients based on fields in the result set with the data that is relevant for each user?

0 Karma

Explorer

I believe you need $results.Email_Address$

0 Karma

New Member

Thanks Jenson

0 Karma

Path Finder

Thanks Jenson!

0 Karma