I am using the sendemail to function in my search to send emails. I receive the email whenever the search is run as expected. Is there a way to configure the search/sendemail function so that email is only sent out if there are results?
I am aware that i can accomplish this if use the schedule search with alert functionality and pick generate alerts if events greater than > 0. I cannot use this as i want the results in a csv file. The alert functionality is configured to use inline results and i am not able to modify it for a single search.
Well it sounds like you've modified your system to send the emails differently than they are normally sent out? But for the record, when you use the normal alerting on a scheduled search, I believe when it sends you the results it attaches them as a CSV file.
Certainly csv is one of the options when you create an alert in 4.2.
I think for you, the best option may be to set up your alert to trigger a python script instead of using the native sendemail. I believe the results of the search are made available to those python scripts and you can then send your own email from python hopefully without a great deal of trouble. Unfortunately I dont know of any examples you can build off of, but maybe someone else does.
the docs for scripted alerting are here:
I agree. My accepted answer here is from the 4.2 era. Looking in the docs, it seems graceful=true has been there since at least 4.3. As a wild guess, graceful=true has just been there forever and you could always do this and i just didn't notice until today. 😃 Agree that yours should be the accepted answer.
To be fair, this took me weeks to figure out, off and on. It was challenging. It seems totally non-intuitive that you can use
eval when there are no events in your current data set, but evidently calling
sendemail does something very special that possibly no other commands do, probably because a great deal of effort was put into that command for the express intent of doing exactly what we are trying to disallow! It really should be a command argument:
Do it like this:
... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:" | rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error." | rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that." | eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null()) | sendemail to=$result.valueForToHeader$ graceful=true ...
The above solution works fine except that it is adding the valueForToHeader to the results sent in the email, is there a way to filter out that valueForToHeader column in the result set sent in email?