Reporting

Why are only 10 emails being returned when generating email notifications using the Map query?

vineeth_jain
Explorer

Hi,

Below SPL query is returning 41 field values in table but for email notifications when using MAP command, only 10 mails are being generated and getting error while using maxsearches along with the MAP query as

Error in 'map' command: Unable to find saved search 'maxsearches=99'.

The search job has failed due to an error. You may be able view the job in the Job Inspector.

I am able to get only 10 mails when running the below query but actually result counts turns out to be 41.

source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A |
rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group,  "User Lock Status" AS user_lock_status,  "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress |
eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y") | WHERE
(last_logon_date >= relative_time (now(), "-90d")) AND 
(last_logon_date <= relative_time (now(), "-60d")) |
eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y") |
sort 0 + last_logon_date |
table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress |
map [sendemail to = $e-mailAddress$ cc="xyz@yahoo.com" subject="User $user_name$ to be locked"
message="Hi $first_name$,

User $user_name$ will be locked as you didn't login to SAP system since 60 days.

Regards,
SAP Admin." sendresults=false footer="Kindly contact SAP Admin if you don't want to be locked within 2 business days."]

Please help to generate all 41 email notifications. Thank you!

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Using subsearch is not supported for map and you also need max_searches=50. Try this:

index=YouShoulAlwaysSpecifyAnIndex AND sroucetype=AndSourcetypeToo AND source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A
| rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group,  "User Lock Status" AS user_lock_status,  "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress
| eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y")
| where (last_logon_date >= relative_time (now(), "-90d")) AND 
        (last_logon_date <= relative_time (now(), "-60d"))
| eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y")
| sort 0 + last_logon_date
| table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress
| map max_searches=99 search="sendemail to = $e-mailAddress$ cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
message="Hi $first_name$,

User $user_name$ will be locked as you didn't login to SAP system since 60 days.

Regards,
SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""

View solution in original post

0 Karma

woodcock
Esteemed Legend

Using subsearch is not supported for map and you also need max_searches=50. Try this:

index=YouShoulAlwaysSpecifyAnIndex AND sroucetype=AndSourcetypeToo AND source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A
| rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group,  "User Lock Status" AS user_lock_status,  "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress
| eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y")
| where (last_logon_date >= relative_time (now(), "-90d")) AND 
        (last_logon_date <= relative_time (now(), "-60d"))
| eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y")
| sort 0 + last_logon_date
| table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress
| map max_searches=99 search="sendemail to = $e-mailAddress$ cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
message="Hi $first_name$,

User $user_name$ will be locked as you didn't login to SAP system since 60 days.

Regards,
SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""
0 Karma

niketn
Legend

[UPDATED ANSWER]
Hi Vineet as requested use the run anywhere following example of using map command. Plug in your query as per your needs:

Following tests the map command that it uses query to populated required fields inside map command.

| makeresults
| eval user_name="abc123",emailAddress="abc@somewhere.com",first_name="alpha",last_name="gamma"
| table user_name,first_name,emailAddress
| map search="| makeresults
        | fields - _time
        | eval email=\"$emailAddress$\", username=\"$user_name$\", firstname=\"$first_name$\"
        "

Following is the query which should send out email provided you have email configured:

| makeresults
| eval user_name="abc123",emailAddress="abc@somewhere.com",first_name="alpha",last_name="gamma"
| table user_name,first_name,emailAddress
| map search="| makeresults
        | fields - _time
        | eval email=\"$emailAddress$\", username=\"$user_name$\", firstname=\"$first_name$\"
        | sendemail to=\"$e-mailAddress$\" cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
        message=\"Hi $first_name$,

                 User $user_name$ will be locked as you didn't login to SAP system since 60 days.

                 Regards,
                 SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""

PS: If you want to send out formatted email ( sendemail will send out plaintext content), you should check out the Sendresults app from Splunkbase.


@vineeth_jain use the argument maxsearches=<int> to give some upper limit to the number of results you want to use through the map command. Default is set to 10

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vineeth_jain
Explorer

| source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A |
makeresults |
rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group, "User Lock Status" AS user_lock_status, "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress |
eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y") | WHERE
(last_logon_date >= relative_time (now(), "-90d")) AND
(last_logon_date <= relative_time (now(), "-60d")) |
eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y") |
sort 0 + last_logon_date |
eval user_name="abc123", e-mailAddress="abc@somewhere.com", first_name="alpha"|
table user_name,first_name,e-mailAddress |
map search="| makeresults
| fields - _time
| eval email=$e-mailAddress$, username=$user_name$, firstname=$first_name$
| sendemail to=$e-mailAddress$ cc="vineethjain28@gmail.com" subject="User $user_name$ to be locked"
message="Hi $first_name$,

              User $user_name$ will be locked as you didn't login to SAP system since 60 days.

              Regards,
              SAP Admin." sendresults=false footer="Kindly contact SAP Admin if you don't want to be locked within 2 business days.""

I am getting error as "Search Factory: Unknown search command 'source'."

Unable to identify the mistake I am getting. Can you please help

0 Karma

vineeth_jain
Explorer

Can you please provide me updated splunk map query as specified above. I am getting error while writing maxsearches in map query.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...