Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sending Splunk email alert with variable email address and variable subject values.

sahil2901
Engager
‎08-11-2020 11:08 AM

Hello,

In my search query I've defined the 3 email_subjects and 3 email_addresses with eval to which I want to send an alert based on threshold defined.

e.g if threshold value is =1 then email_subject1 and email_address1 etc.

My output being in table format because of which for availing $result.feildname$ values,  I'll have to add email_subject and  email_address fields in search result table (definitely not desired) - that being the issue I'm stuck at, same issue I faced with "sendemail" as well.

Is there an alternate way to send email alert via splunk itself (no script)?

@fk319 @woodcock @MuS @bmunson_splunk 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2020 12:17 PM

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

   ... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
   ... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

    ... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | stats values(email_recipient) AS email_recipients BY email_subject
    | nomv email_recipients
    | rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
    |  map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | search email_subject=\"$email_subject$\"
    | fields - email_*
    | sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2020 12:17 PM

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

   ... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
   ... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

    ... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | stats values(email_recipient) AS email_recipients BY email_subject
    | nomv email_recipients
    | rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
    |  map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | search email_subject=\"$email_subject$\"
    | fields - email_*
    | sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

Reply
Solved! Jump to solution

fk319
Builder
‎08-11-2020 11:39 AM

The issue here is several commands are built as the search as parsed, sendemail is one of these commands.

There are three ways I have found around this:

  1. call a saved search
  2. use the map command
  3. use a subsearch
    |sendemail
      [ | makeresults
         | eval To="to@email.com"
         | eval Subject=case(
                  a<th1,"Below Threshold 1",
                  a<th2,"Below Threshold 2",
                  true(),"Above Threshold 3")
      ]

Be forewarned the map command is broken in 8.0.2, but is fixed in 8.0.5

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-11-2020 11:34 AM

Can you share some example?

your question is not clear.

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...