Send email to multiple users with respective data ...

Splunkerninja · ‎11-19-2024

Hi,

I have search which populates results with email address for 1000+users. I need to send ONLY the result tagged to appropriate user via email.I have tried couple of solutions from the community, but it didn't help me.

I want to combine all the results assosciated for indivual user and send them one single email as the data will be more, I don't want to spam their inbox.

For example:
result having 4, 5, 6 should be send in one email only to malik@gmail.com and so on for other users.

Please suggest

PickleRick · ‎11-19-2024

You can't use standard built-in mechanisms to do that directly because they use the same result set. You can try to use some walkarounds as @marnall showed

The other way is to either write your own custom commend (which is cumbersome) or group your results into single mailable "items", render the mail body on your own and use the map command to call sendresults (you need to install that app first of course).

marnall · ‎11-19-2024

One thing you could do is save your search as an alert that triggers rapidly, which uses a different recipient email value that is supplied by a lookup table and iterates using another lookup table containing the email addresses that have already received an email.

MAIN SEARCH:

<yoursearch>
| search
[| inputlookup list_all_emails.csv
| table action
| search NOT
[| inputlookup done_sending_email.csv
| table action
| dedup action]
| head 1]
| outputlookup done_sending_email.csv append=true

You can generate the done_sending_email csv with this search:

| makeresults
| eval action = "randomfillervaluethatisnotanemail"
| outputlookup done_sending_email.csv

And generate the list_all_emails.csv with this search:

<yoursearch>
| dedup action
| table action
| outputlookup list_all_emails.csv

Once the 2 lookup tables are generated, run the main search a few times to see if it iterates through the results for the first few users. If it works, then regenerate the done_sending_email.csv lookup and then save the main search it as an alert. In the Alert settings, scroll down to "When Triggered", then set the To: field to be $result.action$, and then set the rest of the "send email" options to your preference.

Set the cron schedule to be something rapid like * * * * * or */5 * * * *, then save the alert. You can then wait as your alert sends a different email to a different user on each execution, containing only the results relevant to them.

Once the done_sending_email.csv and list_all_emails.csv lookup tables are almost the same size, (done_sending_email.csv will be +1 bigger if it has the filler value) then the emails are all sent out. You can then disable the alert, or you can empty the done_sending_email.csv file if you'd like to send another wave of emails.

Splunkerninja

Thanks for the response. The thing is this alert should trigger every day once and it should be dynamic as the result keeps changing. Based on your comment it looks like I need to redo every time I have to send the reports

'Once the done_sending_email.csv and list_all_emails.csv lookup tables are almost the same size, (done_sending_email.csv will be +1 bigger if it has the filler value) then the emails are all sent out. You can then disable the alert, or you can empty the done_sending_email.csv file if you'd like to send another wave of emails.'

marnall

You can also set up the search that generates done_sending_email to run once a day before the main search executes. This way the done_sending_email.csv file will be cleared and the main search will send out emails to people every day.

Send email to multiple users with respective data based on the result from search

administration

configuration

development

Splunk Investigate

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?