Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

email "To" list from search results

rv6abob
Engager
‎09-30-2010 05:55 PM

Any way to make a scheduled searches "To" list be a result field from a search?

Tags (2)
0 Karma
Reply

Lowell
Super Champion
‎09-30-2010 07:17 PM

I tried some other "tricks" but nothing seemed acceptable. I'm fairly confident you could do something like this using map. Something like:

 <email lookup search> | stats values(email) as to | eval to=mvjoin(to, ",") | map search=" <the real search> | sendemail to=\"$to$\""`

But that gets pretty ugly really quick (especially if you have many double quotes), and there are other limitations too.

I think the only real answer is to make your own email sending search command that can be told to use some sort of field substitution within the "to" field. Which admittedly would be nice and I could that that being helpful for other fields too, like the subject line.

If you want to go down that road, be sure to check out the existing sendemail search command. You can find the existing code here: $SPLUNK_HOME/etc/apps/search/bin/sendemail.py It's probably a better idea to copy this instead of modifying the existing one since it will be overwritten by any splunk upgrades.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...