Security

Create an alert that sends emails to addresses that are identified as a field value

pstamati
Path Finder

Hello guys. Looking for some help from the experts.

I want to create an alert that will send emails to specific mailboxes, these addresses are part of the search result, so for example:


DEVICE_TYPEVULNERABLE_COMPONENTCOUNTrecipient
Linux ServerOS Vendor Patches5team1@mydomain.com
Linux ServerOracle WebLogic6team2@mydomain.com
Linux ServerOther4team3@mydomain.com
Windows ServerOS Vendor Patches3team1@mydomain.com
Windows ServerOracle WebLogic12team2@mydomain.com
Windows ServerOther3team3@mydomain.com

 

So I want the team1@mydomain.com to receive the alert with the corresponding records, 

DEVICE_TYPEVULNERABLE_COMPONENTCOUNTrecipient
Linux ServerOS Vendor Patches5team1@mydomain.com
Windows ServerOS Vendor Patches3team1@mydomain.com

 

and so on for the other recipients.
I tried with
"|sendemail to:$results.recipient$" command I've seen in other posts but it didn't work.

thanks in advance for any help you can provide.


Labels (1)
0 Karma

Bohdan_O
Explorer

Hello @pstamati,

In order to use sendemail you would need to use map command and iterate through batch of results, it is possible but more complicated.

What I would suggest is use sendresults app for Splunk, than you would do:

<your SPL>

| table DEVICE_TYPE VULNURABLE_COMPONENT COUNT recipient

| eval email_to=recipient
| eval email_subj="My subject here"
| eval email_body="Email body goes here"
| fields -recipient ```This to not send email as a column```

| sendresults sender="foo@bar.com" showemail=f showbody=f showsubj=f showfooter=f

 This will combine and send results to each separate recipient. 

*You can also add formatting with HTML in the footer and body etc. (check doc for further info)

pstamati
Path Finder

Thanks for your response. I check with my Splunk team but it seems sendresults app it's not an option for our implementation.
Not familiar with the "map" command. Can you help with some insights on how that would look like?

0 Karma

Bohdan_O
Explorer

Hey @pstamati,


Not a fan of this way of doing it,  used  only few times in the past,  methodology is below:

1. Run your search and save results to a csv (say using outputlookup). (Report 1)

2. Create a second search with inputlookup: (Report 2)

| inputlookup your_saved_results.csv
| table DEVICE_TYPE VULNURABLE_COMPONENT COUNT recipient
| dedup recipient | fields recipient

| map search="|inputlookup your_saved_results.csv |search recipient=$recipient$
| table DEVICE_TYPE VULNURABLE_COMPONENT COUNT recipient
| sendemail to=$recipient$ subject=\"Check this out\" message=\"Not a very easy command.\" sendcsv=true sendresults=false paperorientation=landscape" maxsearches=100

Where maxsearches number would be a max row value that your csv could possibly be (max result number).

Two searches/reports method is optional in case your main query is lightweight. I mean if it takes seconds to run you could replace <inputlookup> and use query instead all in one report.

Hope I didn't overcomplicate things.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It should be result not results and the information is only available from the fields in the first result event, not from each event in the result set.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...