Re: How to LogEvent action for an alert as well as...

vickycoder27 · ‎11-20-2019

I have an alert that creates a table and has emailed, user id, endpoint, count in the result which is used with |map() & |send() function to dynamically generate the emails.

I also needed this metadata information to check which user I had sent out emails so I had Action ->Log Event, but the problem is Log Event will happen only if the final result is a table but breaks if its |map().

Action->Send email works for only static emails.
How do I achieve this to Log Event + use map() to send out emails dynamically?

woodcock · ‎11-25-2019

Like this:

Your search here
| appendpipe [ map search=[sendemail stuff here | where true() == false() ]]

jaime_ramirez · ‎11-20-2019

Have you tried this app?:

https://splunkbase.splunk.com/app/1794/

It can send alerts to dynamically genrated emails based on previous search results.

Hope it helps!!!

vickycoder27 · ‎11-25-2019

P.S. I can send email dynamically, thats not the issue but the problem is using the Action "Log Event" along with it. If you have any idea how to achieve that at the same time, for now I am using send mail for each result and that seems to be bailing me out but still wanted to resolve this.

How to LogEvent action for an alert as well as send out email dynamically to all the resultant email id's using |map()?

configuration

other

troubleshooting

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life