Solved: Sending Splunk email alert with variable email add...

sahil2901 · ‎08-11-2020

Hello,

In my search query I've defined the 3 email_subjects and 3 email_addresses with eval to which I want to send an alert based on threshold defined.

e.g if threshold value is =1 then email_subject1 and email_address1 etc.

My output being in table format because of which for availing $result.feildname$ values, I'll have to add email_subject and email_address fields in search result table (definitely not desired) - that being the issue I'm stuck at, same issue I faced with "sendemail" as well.

Is there an alternate way to send email alert via splunk itself (no script)?

@fk319 @woodcock @MuS @bmunson_splunk

woodcock · ‎08-11-2020

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| stats values(email_recipient) AS email_recipients BY email_subject
| nomv email_recipients
| rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
| map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| search email_subject=\"$email_subject$\"
| fields - email_*
| sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

View solution in original post

woodcock · ‎08-11-2020

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| stats values(email_recipient) AS email_recipients BY email_subject
| nomv email_recipients
| rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
| map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| search email_subject=\"$email_subject$\"
| fields - email_*
| sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

fk319 · ‎08-11-2020

The issue here is several commands are built as the search as parsed, sendemail is one of these commands.

There are three ways I have found around this:

call a saved search
use the map command
use a subsearch
|sendemail
[ | makeresults
     | eval To="to@email.com"
     | eval Subject=case(
              a<th1,"Below Threshold 1",
              a<th2,"Below Threshold 2",
              true(),"Above Threshold 3")
]

Be forewarned the map command is broken in 8.0.2, but is fixed in 8.0.5

thambisetty · ‎08-11-2020

Can you share some example?

your question is not clear.

————————————
If this helps, give a like below.

Sending Splunk email alert with variable email address and variable subject values.

administration

troubleshooting

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation