Solved: Why are only 10 emails being returned when generat...

vineeth_jain · ‎04-20-2019

Hi,

Below SPL query is returning 41 field values in table but for email notifications when using MAP command, only 10 mails are being generated and getting error while using maxsearches along with the MAP query as

Error in 'map' command: Unable to find saved search 'maxsearches=99'.

The search job has failed due to an error. You may be able view the job in the Job Inspector.

I am able to get only 10 mails when running the below query but actually result counts turns out to be 41.

source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A |
rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group,  "User Lock Status" AS user_lock_status,  "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress |
eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y") | WHERE
(last_logon_date >= relative_time (now(), "-90d")) AND 
(last_logon_date <= relative_time (now(), "-60d")) |
eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y") |
sort 0 + last_logon_date |
table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress |
map [sendemail to = $e-mailAddress$ cc="xyz@yahoo.com" subject="User $user_name$ to be locked"
message="Hi $first_name$,

User $user_name$ will be locked as you didn't login to SAP system since 60 days.

Regards,
SAP Admin." sendresults=false footer="Kindly contact SAP Admin if you don't want to be locked within 2 business days."]

Please help to generate all 41 email notifications. Thank you!

woodcock · ‎04-21-2019

Using subsearch is not supported for map and you also need max_searches=50. Try this:

index=YouShoulAlwaysSpecifyAnIndex AND sroucetype=AndSourcetypeToo AND source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A
| rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group,  "User Lock Status" AS user_lock_status,  "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress
| eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y")
| where (last_logon_date >= relative_time (now(), "-90d")) AND 
        (last_logon_date <= relative_time (now(), "-60d"))
| eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y")
| sort 0 + last_logon_date
| table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress
| map max_searches=99 search="sendemail to = $e-mailAddress$ cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
message="Hi $first_name$,

User $user_name$ will be locked as you didn't login to SAP system since 60 days.

Regards,
SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""

View solution in original post

woodcock · ‎04-21-2019

Using subsearch is not supported for map and you also need max_searches=50. Try this:

index=YouShoulAlwaysSpecifyAnIndex AND sroucetype=AndSourcetypeToo AND source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A
| rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group,  "User Lock Status" AS user_lock_status,  "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress
| eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y")
| where (last_logon_date >= relative_time (now(), "-90d")) AND 
        (last_logon_date <= relative_time (now(), "-60d"))
| eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y")
| sort 0 + last_logon_date
| table user_name,user_group,first_name,full_name,user_lock_status,last_logon_date,e-mailAddress
| map max_searches=99 search="sendemail to = $e-mailAddress$ cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
message="Hi $first_name$,

User $user_name$ will be locked as you didn't login to SAP system since 60 days.

Regards,
SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""

niketn · ‎04-20-2019

[UPDATED ANSWER]
Hi Vineet as requested use the run anywhere following example of using map command. Plug in your query as per your needs:

Following tests the map command that it uses query to populated required fields inside map command.

| makeresults
| eval user_name="abc123",emailAddress="abc@somewhere.com",first_name="alpha",last_name="gamma"
| table user_name,first_name,emailAddress
| map search="| makeresults
        | fields - _time
        | eval email=\"$emailAddress$\", username=\"$user_name$\", firstname=\"$first_name$\"
        "

Following is the query which should send out email provided you have email configured:

| makeresults
| eval user_name="abc123",emailAddress="abc@somewhere.com",first_name="alpha",last_name="gamma"
| table user_name,first_name,emailAddress
| map search="| makeresults
        | fields - _time
        | eval email=\"$emailAddress$\", username=\"$user_name$\", firstname=\"$first_name$\"
        | sendemail to=\"$e-mailAddress$\" cc=\"xyz@yahoo.com\" subject=\"User $user_name$ to be locked\"
        message=\"Hi $first_name$,

                 User $user_name$ will be locked as you didn't login to SAP system since 60 days.

                 Regards,
                 SAP Admin.\" sendresults=false footer=\"Kindly contact SAP Admin if you don't want to be locked within 2 business days.\""

PS: If you want to send out formatted email ( sendemail will send out plaintext content), you should check out the Sendresults app from Splunkbase.

@vineeth_jain use the argument maxsearches=<int> to give some upper limit to the number of results you want to use through the map command. Default is set to 10

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vineeth_jain · ‎04-21-2019

| source="UserList.csv" host="prd-p-bjs8j4b5tcmc" sourcetype="SplUsers" "User Lock Status"=0 "User Type"=A |
makeresults |
rename "User Name" AS user_name, "User Master Maintenance_ User Group" AS user_group, "User Lock Status" AS user_lock_status, "Last Logon Date" AS last_logon_date, "First name" AS first_name, "Full Name" AS full_name, "E-Mail Address" AS e-mailAddress |
eval last_logon_date = strptime(last_logon_date, "%m/%d/%Y") | WHERE
(last_logon_date >= relative_time (now(), "-90d")) AND
(last_logon_date <= relative_time (now(), "-60d")) |
eval last_logon_date = strftime (last_logon_date, "%m/%d/%Y") |
sort 0 + last_logon_date |
eval user_name="abc123", e-mailAddress="abc@somewhere.com", first_name="alpha"|
table user_name,first_name,e-mailAddress |
map search="| makeresults
| fields - _time
| eval email=$e-mailAddress$, username=$user_name$, firstname=$first_name$
| sendemail to=$e-mailAddress$ cc="vineethjain28@gmail.com" subject="User $user_name$ to be locked"
message="Hi $first_name$,

              User $user_name$ will be locked as you didn't login to SAP system since 60 days.

              Regards,
              SAP Admin." sendresults=false footer="Kindly contact SAP Admin if you don't want to be locked within 2 business days.""

I am getting error as "Search Factory: Unknown search command 'source'."

Unable to identify the mistake I am getting. Can you please help

vineeth_jain · ‎04-20-2019

Can you please provide me updated splunk map query as specified above. I am getting error while writing maxsearches in map query.

Why are only 10 emails being returned when generating email notifications using the Map query?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM