Reporting

sendemail question - iterating through results to perform slightly different actions based on output.

pkeller
Contributor

Basic search is:

host="*" | stats count(linecount) as count by host,sysadmin| where count > 1000000 | sort -count | sendemail to=recipient@domain.com format=html sendresults=true subject=search_results

Ok ... this works. Essentially any host that has sent more than a million messages to splunk will be captured in the search ... The sysadmin owner of that host is a field obtained by a working lookup ...

So, in the case of this search reporting two hosts:

host1 sysadmin1 2000000
host2 sysadmin2 1700000
host3 sysadmin1 1500000

I'd like to somehow be able to grab those results and send only the search output relevant to sysadmin1 to sysadmin1 and the same for sysadmin2.

subject="noisy syslog volume for hosts owned by $sysadmin$" ( just a guess as to altering the subject line on a per recipient basis ) ...

So, how to iterate between unique sysadmins and send the results relevant to each individually.

Thanks very much

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could write a small python script for that and define it as a custom search command. I don't think splunk can do this out of the box without specifying one search per sysadmin.

View solution in original post

BP9906
Builder

Just as a follow up to those who might be looking for an answer like this. I originally did it like this, using a bash script to take the results of my scheduled search and parse the results and feed it back into a command line splunk search (ie ./bin/splunk search "blah").

I found that I can save the hassle by 1) making a custom copy of the sendemail command and making my own command to make it a customer facing prettier email 2) using the "map" command to search using stats count by and feeding the "by" fields into almost the same search using map command.

sourcetype=blah | join type=outer host [ |inputlookup email_lookup.csv | fields from, to, host ] | stats count by from, to, host | map search="search ourcetype=blah | join type=outer host [ |inputlookup email_lookup.csv ] | search to=\"$to$\" from=\"$from$\" host=\"$host$\" | sendemailpretty from=\"$from$\" to=\"$to$\" subject=\"Email\" server=mailserver sendresults=true inline=true format=html"

Note: please escape the internal quotes of the map search=" " using backslash quote .

Hope this helps others out.

martin_mueller
SplunkTrust
SplunkTrust

You could write a small python script for that and define it as a custom search command. I don't think splunk can do this out of the box without specifying one search per sysadmin.

martin_mueller
SplunkTrust
SplunkTrust

If you survive Perl you'll make do with Python as well 🙂

PS: If your script turns out well you should consider publishing it as an add-on on splunkbase.

0 Karma

pkeller
Contributor

Thanks very much for your reply. I ended up writing a simple shell script, placed it in $SPLUNK_HOME/bin/scripts and it calls a perl script and passes it the $8 variable out of the splunk search. That does the trick. ( don't know python well enough to do the same ). 😎

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...