How to add multiple email addresses in Splunk Aler...

whitefang1726 · ‎02-28-2023

Hello Splunkers,

How can we send email to multiple email addresses using Splunk alert? I saw below documentation in Splunk site, but it doesn't have any sample for multiple emails.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Alert/Emailnotification

Example:

If country=US, recipients will be ameri@gmail.com
If country=Argentina, recipients will be ameri@gmail.com, argentina@gmail.com
If country=Mexico, recipients will be ameri@gmail.com, mexico@gmail.com
If no match, then ameri@gmail.com

Thanks!

whitefang1726 · ‎02-28-2023

I've used eval (recipients fields) same with the documentation, but "," does not worked and recipients doesn't received any emails.

Example:

| eval recipients=if(country, "US", "ameri@gmail.com", if(country, "Mexico", "ameri@gmail.com, mexico@gmail.com"), "ameri@gmail.com")

ITWhisperer · ‎03-01-2023

Have you tried semi-colon rather then comma as a separator between e-mail addresses?

ITWhisperer · ‎02-28-2023

You could consider adding the recipients to the results of the search and using $result.recipients$ in the To: field.

How to add multiple email addresses in Splunk Alert based on field value?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

How to add multiple email addresses in Splunk Alert based on field value?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...