Splunk Enterprise

Sending Splunk email alert with variable email address and variable subject values.

sahil2901
Engager

Hello,

In my search query I've defined the 3 email_subjects and 3 email_addresses with eval to which I want to send an alert based on threshold defined.

e.g if threshold value is =1 then email_subject1 and email_address1 etc.

My output being in table format because of which for availing $result.feildname$ values,  I'll have to add email_subject and  email_address fields in search result table (definitely not desired) - that being the issue I'm stuck at, same issue I faced with "sendemail" as well.

Is there an alternate way to send email alert via splunk itself (no script)?

@fk319 @woodcock @MuS @bmunson_splunk 

0 Karma
1 Solution

woodcock
Esteemed Legend

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

   ... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
   ... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

    ... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | stats values(email_recipient) AS email_recipients BY email_subject
    | nomv email_recipients
    | rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
    |  map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | search email_subject=\"$email_subject$\"
    | fields - email_*
    | sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

View solution in original post

woodcock
Esteemed Legend

There are 2 basic options.

#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:

   ... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
   ... $result._feildname$

#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:

    ... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | stats values(email_recipient) AS email_recipients BY email_subject
    | nomv email_recipients
    | rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
    |  map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
    | search email_subject=\"$email_subject$\"
    | fields - email_*
    | sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""

fk319
Builder

The issue here is several commands are built as the search as parsed, sendemail is one of these commands.

There are three ways I have found around this:

  1. call a saved search
  2. use the map command
  3. use a subsearch
    |sendemail
      [ | makeresults
         | eval To="to@email.com"
         | eval Subject=case(
                  a<th1,"Below Threshold 1",
                  a<th2,"Below Threshold 2",
                  true(),"Above Threshold 3")
      ]

Be forewarned the map command is broken in 8.0.2, but is fixed in 8.0.5

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Can you share some example?

your question is not clear.

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...