Reporting

sendemail to Function - Send email only if there are results

anantshah
Path Finder

Hello,

I am using the sendemail to function in my search to send emails. I receive the email whenever the search is run as expected. Is there a way to configure the search/sendemail function so that email is only sent out if there are results?

I am aware that i can accomplish this if use the schedule search with alert functionality and pick generate alerts if events greater than > 0. I cannot use this as i want the results in a csv file. The alert functionality is configured to use inline results and i am not able to modify it for a single search.

Tags (1)
1 Solution

woodcock
Esteemed Legend

Do it like this:

... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:"
| rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error."
| rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that."
| eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null())
| sendemail
   to=$result.valueForToHeader$
   graceful=true
   ...

View solution in original post

woodcock
Esteemed Legend

Do it like this:

... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:"
| rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error."
| rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that."
| eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null())
| sendemail
   to=$result.valueForToHeader$
   graceful=true
   ...

anjith05
New Member

The above solution works fine except that it is adding the valueForToHeader to the results sent in the email, is there a way to filter out that valueForToHeader column in the result set sent in email?

0 Karma

sideview
SplunkTrust
SplunkTrust

Well it sounds like you've modified your system to send the emails differently than they are normally sent out? But for the record, when you use the normal alerting on a scheduled search, I believe when it sends you the results it attaches them as a CSV file.

Certainly csv is one of the options when you create an alert in 4.2.

I think for you, the best option may be to set up your alert to trigger a python script instead of using the native sendemail. I believe the results of the search are made available to those python scripts and you can then send your own email from python hopefully without a great deal of trouble. Unfortunately I dont know of any examples you can build off of, but maybe someone else does.

the docs for scripted alerting are here:

http://www.splunk.com/base/Documentation/4.2/Admin/Configurescriptedalerts

0 Karma

woodcock
Esteemed Legend

Thank you for the UpVote, @sideview!

0 Karma

sideview
SplunkTrust
SplunkTrust

I agree. My accepted answer here is from the 4.2 era. Looking in the docs, it seems graceful=true has been there since at least 4.3. As a wild guess, graceful=true has just been there forever and you could always do this and i just didn't notice until today. 😃 Agree that yours should be the accepted answer.

woodcock
Esteemed Legend

To be fair, this took me weeks to figure out, off and on. It was challenging. It seems totally non-intuitive that you can use eval when there are no events in your current data set, but evidently calling sendemail does something very special that possibly no other commands do, probably because a great deal of effort was put into that command for the express intent of doing exactly what we are trying to disallow! It really should be a command argument: send_when_no_results={true,false}.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...