Hello guys. Looking for some help from the experts.
I want to create an alert that will send emails to specific mailboxes, these addresses are part of the search result, so for example:
DEVICE_TYPE | VULNERABLE_COMPONENT | COUNT | recipient |
Linux Server | OS Vendor Patches | 5 | team1@mydomain.com |
Linux Server | Oracle WebLogic | 6 | team2@mydomain.com |
Linux Server | Other | 4 | team3@mydomain.com |
Windows Server | OS Vendor Patches | 3 | team1@mydomain.com |
Windows Server | Oracle WebLogic | 12 | team2@mydomain.com |
Windows Server | Other | 3 | team3@mydomain.com |
So I want the team1@mydomain.com to receive the alert with the corresponding records,
DEVICE_TYPE | VULNERABLE_COMPONENT | COUNT | recipient |
Linux Server | OS Vendor Patches | 5 | team1@mydomain.com |
Windows Server | OS Vendor Patches | 3 | team1@mydomain.com |
and so on for the other recipients.
I tried with
"|sendemail to:$results.recipient$" command I've seen in other posts but it didn't work.
thanks in advance for any help you can provide.
Hello @pstamati,
In order to use sendemail you would need to use map command and iterate through batch of results, it is possible but more complicated.
What I would suggest is use sendresults app for Splunk, than you would do:
<your SPL>
| table DEVICE_TYPE VULNURABLE_COMPONENT COUNT recipient
| eval email_to=recipient
| eval email_subj="My subject here"
| eval email_body="Email body goes here"
| fields -recipient ```This to not send email as a column```
| sendresults sender="foo@bar.com" showemail=f showbody=f showsubj=f showfooter=f
This will combine and send results to each separate recipient.
*You can also add formatting with HTML in the footer and body etc. (check doc for further info)
Thanks for your response. I check with my Splunk team but it seems sendresults app it's not an option for our implementation.
Not familiar with the "map" command. Can you help with some insights on how that would look like?
Hey @pstamati,
Not a fan of this way of doing it, used only few times in the past, methodology is below:
1. Run your search and save results to a csv (say using outputlookup). (Report 1)
2. Create a second search with inputlookup: (Report 2)
| inputlookup your_saved_results.csv
| table DEVICE_TYPE VULNURABLE_COMPONENT COUNT recipient
| dedup recipient | fields recipient
| map search="|inputlookup your_saved_results.csv |search recipient=$recipient$
| table DEVICE_TYPE VULNURABLE_COMPONENT COUNT recipient
| sendemail to=$recipient$ subject=\"Check this out\" message=\"Not a very easy command.\" sendcsv=true sendresults=false paperorientation=landscape" maxsearches=100
Where maxsearches number would be a max row value that your csv could possibly be (max result number).
Two searches/reports method is optional in case your main query is lightweight. I mean if it takes seconds to run you could replace <inputlookup> and use query instead all in one report.
Hope I didn't overcomplicate things.
It should be result not results and the information is only available from the fields in the first result event, not from each event in the result set.