I have an alert that creates a table and has emailed, user id, endpoint, count in the result which is used with |map() & |send() function to dynamically generate the emails.
I also needed this metadata information to check which user I had sent out emails so I had Action ->Log Event, but the problem is Log Event will happen only if the final result is a table but breaks if its |map().
Action->Send email works for only static emails.
How do I achieve this to Log Event + use map() to send out emails dynamically?
Like this:
Your search here
| appendpipe [ map search=[sendemail stuff here | where true() == false() ]]
Have you tried this app?:
https://splunkbase.splunk.com/app/1794/
It can send alerts to dynamically genrated emails based on previous search results.
Hope it helps!!!
P.S. I can send email dynamically, thats not the issue but the problem is using the Action "Log Event" along with it. If you have any idea how to achieve that at the same time, for now I am using send mail for each result and that seems to be bailing me out but still wanted to resolve this.