Solved: Sending Splunk email alert with variable email add...

sahil2901 · ‎08-11-2020

Hello,

In my search query I've defined the 3 email_subjects and 3 email_addresses with eval to which I want to send an alert based on threshold defined.

e.g if threshold value is =1 then email_subject1 and email_address1 etc.

My output being in table format because of which for availing $result.feildname$ values, I'll have to add email_subject and email_address fields in search result table (definitely not desired) - that being the issue I'm stuck at, same issue I faced with "sendemail" as well.

Is there an alternate way to send email alert via splunk itself (no script)?

@fk319 @woodcock @MuS @bmunson_splunk

woodcock · ‎08-11-2020

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| stats values(email_recipient) AS email_recipients BY email_subject
| nomv email_recipients
| rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
| map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| search email_subject=\"$email_subject$\"
| fields - email_*
| sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

View solution in original post

woodcock · ‎08-11-2020

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| stats values(email_recipient) AS email_recipients BY email_subject
| nomv email_recipients
| rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
| map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| search email_subject=\"$email_subject$\"
| fields - email_*
| sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

fk319 · ‎08-11-2020

The issue here is several commands are built as the search as parsed, sendemail is one of these commands.

There are three ways I have found around this:

call a saved search
use the map command
use a subsearch
|sendemail
[ | makeresults
     | eval To="to@email.com"
     | eval Subject=case(
              a<th1,"Below Threshold 1",
              a<th2,"Below Threshold 2",
              true(),"Above Threshold 3")
]

Be forewarned the map command is broken in 8.0.2, but is fixed in 8.0.5

thambisetty · ‎08-11-2020

Can you share some example?

your question is not clear.

————————————
If this helps, give a like below.

Sending Splunk email alert with variable email address and variable subject values.

administration

troubleshooting

using Splunk Enterprise

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?