Other Usage

Send emailed results to an email address IN the results.

jdunlea
Contributor

I want to be able to email results to recipients where the recipient email address is PART of the result set.

For example, lets assume the following is my result set in Splunk.

alt text

Now I want to have Splunk send an automated email for EACH RESULT where the recipient of the email is the value of the "Email_Address" field.

I.E: Email 1 contains results from row 1 ONLY and the recipient of that email is jon.snow@got.com, etc.

I am pretty sure it is not possible in native Splunk but I am curious to know if anyone has come up with a custom solution.

0 Karma
1 Solution

jensonthottian
Contributor

You can use tokens to pass "TO:" in email notifications.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

$Email_Address$

  • Courtesy Snow is back.

View solution in original post

woodcock
Esteemed Legend

If you need to send a contextually-approrpriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL directly:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| search ThisFieldWillNeverExist="SoThisCommandWillDropAllEventsSoThatYouCanPullInTheOriginalSetWhichYouMightOrMightNotCareToDo"
| appendpipe [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error:

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

ejwade
Contributor

Hi @woodcock.

This is very helpful, and somewhat of a game changer in sending dynamic alerts from Splunk. Thank you!

I did have a quick question about outputcsv.

From what I've read, outputlookup writes to a lookup file that replicates across a search head cluster, while outputcsv just writes a CSV in the current search head's var/run directory. I'm looking to have this result dataset NOT be persistent. Do you have any recommendations about creating a result dataset for the map command that will age out after the search is run, or some configurable time after?

0 Karma

thuhuongle
Explorer

Hi @woodcock ,
By using your solution, it wll send email event "no found results" because of map command. How to stop sending email when thery are empty?
Thanks

| inputlookup mail.csv | fields adresse_mail | map search="|savedsearch abc | where Adresse_mail=\"$adresse_mail$\" |fields - Adresse_mail
|sendemail to=\"$adresse_mail$\" subject=...

0 Karma

thuhuongle
Explorer

Hi Woodcock, Do you have a solution without using sendemail commend but can parse the token to the alert by email.
Great solution with |sendemail

0 Karma

elewis1
Explorer

I got around the error for no results by adding the following immediately before the map command
|append [|makeresults |eval ]

e.g. |append [|makeresutls |eval emailToHeader=""]

I also added "graceful=true" to the sendemail command to ignore errors about trying to send an email with no "to"

woodcock
Esteemed Legend

Yes, I also found a solution to the empty map problem later on.

jensonthottian
Contributor

You can use tokens to pass "TO:" in email notifications.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

$Email_Address$

  • Courtesy Snow is back.

AssafLowenstein
Explorer

Not sure how this answers the question.
what's the SPL for sending multiple emails with recipients based on fields in the result set with the data that is relevant for each user?

0 Karma

splunkyfun12721
Loves-to-Learn Lots

SPL for sending email based on email address value in the result:

<base search>
| table User Email_Address
| sendemail to=$result.Email_Address$ subject=$result.User$ ...

https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens#Result_tokens

0 Karma

nunoaragao
Explorer

I believe you need $results.Email_Address$

0 Karma

brothersman
New Member

Thanks Jenson

0 Karma

jdunlea
Contributor

Thanks Jenson!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...