Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search based on search results using command 'sendemail'?

gl_splunkuser
Path Finder
‎06-22-2020 05:09 PM

Hello, I am using Splunk enterprise 7.3.5.

I would like to send an email, using the command sendemail, but I would like to create it based on a search result, so I am trying:

 

eventtype = myeventype | table message_subject, sender_address |sendemail sendresults=true inline=true from=$sender_address$ subject=$message_subject$ to=myemail

 

Where

message_subject and sender_address, are fields of the search. 

But when I received the email, looks like- (see the attached image)

Basically, the parameters are not working, I received the email without any of those parameters set.

 

email_bySplunk.PNG

How can I fix that?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎06-22-2020 09:37 PM

SendResults

Would likely be a good fit...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

gl_splunkuser
Path Finder
‎06-23-2020 09:22 AM

Sendresults as I read don't have the feature to set parameters in the value - sender: The sender (from) address of the emails - requires quotes. Defaults to Splunk SMTP sender setting. The same sender is used for all emails sent and not customizable on a per-email basis. - 

And I need to set that value as a parameter.

 

Thanks for your help. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎06-23-2020 10:46 PM

Quoting the details page of sendresults app from SplunkBase:

"The Search Command version of Sendresults supports the following syntax and optional arguments:

sendresults [sender=string] [subject=string] [body=string] [footer=string] [maxrcpts=int] [msgstyle=string] [format_columns=string] [bcc=string] [showresults=boolean] [showemail=boolean] [showsubj=boolean] [showbody=boolean] [showfooter=boolean]

sender: The sender (from) address of the emails - requires quotes. Defaults to Splunk SMTP sender setting. The same sender is used for all emails sent and not customizable on a per-email basis."

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

gl_splunkuser
Path Finder
‎06-23-2020 11:49 AM

I used the app sendresults, works pretty well, but I modify the sendresults.py to have the capability to use the sender as a parameter.

Code:

sender = event['sender']

And sent it as a parameter of sendemail function. 

Thanks for the suggestion @gjanders 

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top