I have a simple search similar to this
host=ccirc.example.com | table email malware | sort email | uniq
which gives me results like this
freddy@example.com zeroconf
jimbob@example.com conficker
jamesdean@example.com citadel
marthastewart@example.com zeus
Is it possible for me to iterate through each line and send a boilerplate email to the address in the fist field, basically saying "you are infected with $virus"?
I should also note that the source file for this search is generated by a script once a day, so you don't see individual lines coming in 'real time.'
Any insights are much appreciated!
This functionality doesn't exist.
But you can create your own scripted alert that will create the emails after parsing the results.
see http://docs.splunk.com/Documentation/Splunk/6.0/Alert/Configuringscriptedalerts
by the way nice reference to the quantic transient state.
http://en.wikipedia.org/wiki/Quantum_decoherence
This functionality doesn't exist.
But you can create your own scripted alert that will create the emails after parsing the results.
see http://docs.splunk.com/Documentation/Splunk/6.0/Alert/Configuringscriptedalerts
Thanks for pointing me in the right direction!