Splunk Enterprise

How to LogEvent action for an alert as well as send out email dynamically to all the resultant email id's using |map()?


I have an alert that creates a table and has emailed, user id, endpoint, count in the result which is used with |map() & |send() function to dynamically generate the emails.

I also needed this metadata information to check which user I had sent out emails so I had Action ->Log Event, but the problem is Log Event will happen only if the final result is a table but breaks if its |map().

Action->Send email works for only static emails.
How do I achieve this to Log Event + use map() to send out emails dynamically?

Labels (3)
0 Karma

Esteemed Legend

Like this:

Your search here
| appendpipe [ map search=[sendemail stuff here | where true() == false() ]]
0 Karma


Have you tried this app?:


It can send alerts to dynamically genrated emails based on previous search results.

Hope it helps!!!

0 Karma


P.S. I can send email dynamically, thats not the issue but the problem is using the Action "Log Event" along with it. If you have any idea how to achieve that at the same time, for now I am using send mail for each result and that seems to be bailing me out but still wanted to resolve this.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!