Hi,
Below SPL query is returning 41 field values in table but for email notifications when using MAP command, only 10 mails are being generated and getting error while using maxsearches along with the MAP query as
Error in 'map' command: Unable to find saved search 'maxsearches=99'.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
I am able to get only 10 mails when running the below query but actually result counts turns out to be 41.
source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A |
rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group, "User Lock Status" AS user_lock_status, "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress |
eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y") | WHERE
(last_logon_date >= relative_time (now(), "-90d")) AND
(last_logon_date <= relative_time (now(), "-60d")) |
eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y") |
sort 0 + last_logon_date |
table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress |
map [sendemail to = $e-mailAddress$ cc="xyz@yahoo.com" subject="User $user_name$ to be locked"
message="Hi $first_name$,
User $user_name$ will be locked as you didn't login to SAP system since 60 days.
Regards,
SAP Admin." sendresults=false footer="Kindly contact SAP Admin if you don't want to be locked within 2 business days."]
Please help to generate all 41 email notifications. Thank you!
Using subsearch is not supported for map
and you also need max_searches=50
. Try this:
index=YouShoulAlwaysSpecifyAnIndex AND sroucetype=AndSourcetypeToo AND source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A
| rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group, "User Lock Status" AS user_lock_status, "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress
| eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y")
| where (last_logon_date >= relative_time (now(), "-90d")) AND
(last_logon_date <= relative_time (now(), "-60d"))
| eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y")
| sort 0 + last_logon_date
| table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress
| map max_searches=99 search="sendemail to = $e-mailAddress$ cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
message="Hi $first_name$,
User $user_name$ will be locked as you didn't login to SAP system since 60 days.
Regards,
SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""
Using subsearch is not supported for map
and you also need max_searches=50
. Try this:
index=YouShoulAlwaysSpecifyAnIndex AND sroucetype=AndSourcetypeToo AND source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A
| rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group, "User Lock Status" AS user_lock_status, "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress
| eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y")
| where (last_logon_date >= relative_time (now(), "-90d")) AND
(last_logon_date <= relative_time (now(), "-60d"))
| eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y")
| sort 0 + last_logon_date
| table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress
| map max_searches=99 search="sendemail to = $e-mailAddress$ cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
message="Hi $first_name$,
User $user_name$ will be locked as you didn't login to SAP system since 60 days.
Regards,
SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""
[UPDATED ANSWER]
Hi Vineet as requested use the run anywhere following example of using map command. Plug in your query as per your needs:
Following tests the map command that it uses query to populated required fields inside map command.
| makeresults
| eval user_name="abc123",emailAddress="abc@somewhere.com",first_name="alpha",last_name="gamma"
| table user_name,first_name,emailAddress
| map search="| makeresults
| fields - _time
| eval email=\"$emailAddress$\", username=\"$user_name$\", firstname=\"$first_name$\"
"
Following is the query which should send out email provided you have email configured:
| makeresults
| eval user_name="abc123",emailAddress="abc@somewhere.com",first_name="alpha",last_name="gamma"
| table user_name,first_name,emailAddress
| map search="| makeresults
| fields - _time
| eval email=\"$emailAddress$\", username=\"$user_name$\", firstname=\"$first_name$\"
| sendemail to=\"$e-mailAddress$\" cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
message=\"Hi $first_name$,
User $user_name$ will be locked as you didn't login to SAP system since 60 days.
Regards,
SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""
PS: If you want to send out formatted email ( sendemail
will send out plaintext content), you should check out the Sendresults app from Splunkbase.
@vineeth_jain use the argument maxsearches=<int>
to give some upper limit to the number of results you want to use through the map command. Default is set to 10
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map#Optional_arguments
| source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A |
makeresults |
rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group, "User Lock Status" AS user_lock_status, "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress |
eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y") | WHERE
(last_logon_date >= relative_time (now(), "-90d")) AND
(last_logon_date <= relative_time (now(), "-60d")) |
eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y") |
sort 0 + last_logon_date |
eval user_name="abc123", e-mailAddress="abc@somewhere.com", first_name="alpha"|
table user_name,first_name,e-mailAddress |
map search="| makeresults
| fields - _time
| eval email=$e-mailAddress$, username=$user_name$, firstname=$first_name$
| sendemail to=$e-mailAddress$ cc="vineethjain28@gmail.com" subject="User $user_name$ to be locked"
message="Hi $first_name$,
User $user_name$ will be locked as you didn't login to SAP system since 60 days.
Regards,
SAP Admin." sendresults=false footer="Kindly contact SAP Admin if you don't want to be locked within 2 business days.""
I am getting error as "Search Factory: Unknown search command 'source'."
Unable to identify the mistake I am getting. Can you please help
Can you please provide me updated splunk map query as specified above. I am getting error while writing maxsearches in map query.