Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a Report that send emails row by row, with the contents in columns?

DS904458
Explorer
‎05-06-2022 08:23 AM

Hi all,

I'm not a English native speaker, but I will do my best to explain ther question.

To be clear, I need done this in "Report". So that means I can't use a saved job as in Dashboard.
So I need done this in a single search, I guess.

 

I did some previous search, and get a result table like this below table:

Test_ProjectTest_SiteFailed_Test_ItemsTest_Admin_Email
Notebook_XXAItem_1
Item_5
Item_7		dog@mail.com, cat@mail.com, bird@mail.com 
Mobile_DDAItem_1
Item_2		dog@mail.com
Notebook_XXBItem_3cat@mail.com
Mobile_DDBItem_6
Item_7		bird@mail.com, cat@mail.com 


Faild_Test_Items is a multi-value  column.
Test_Admin_Email is a single-string column.

Anyway, I need send email about the testing result row by row.
For example, send this to 3 different email address:  dog@mail.com, cat@mail.com, bird@mail.com

Test_ProjectTest_SiteFailed_Test_Items
Notebook_XXAItem_1
Item_5
Item_7

 

And send this to two email address: bird@mail.com, cat@mail.com 

Test_ProjectTest_SiteFailed_Test_Items
Mobile_DDBItem_6
Item_7


Every row will represent different email.
So in this case, I will send 4 emails.
And it need to be done by Report, because I need schedule it.

Please help me in a simple way, maybe use some simple examples.
I am still a Splunk noob.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-06-2022 08:50 AM

@DS904458 - You can extend your search with sendemail command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Sendemail )

<your search>
| map search="| sendemail to=$Test_Admin_Email$ subject=\"some subject\" message=\"Test_Project=$Test_Project$, Test_Site=$Test_Site$, Failed_Test_Items=$Failed_Test_Items$\" "

Please read here about the map command as it has some limitations on how many results it can process. - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map 

 

I hope this helps!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-06-2022 08:50 AM

@DS904458 - You can extend your search with sendemail command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Sendemail )

<your search>
| map search="| sendemail to=$Test_Admin_Email$ subject=\"some subject\" message=\"Test_Project=$Test_Project$, Test_Site=$Test_Site$, Failed_Test_Items=$Failed_Test_Items$\" "

Please read here about the map command as it has some limitations on how many results it can process. - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map 

 

I hope this helps!!!

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-08-2022 11:42 PM

It ain't that easy. Especially because of the need to handle multivalued fields (multiple recipients) properly. And it's simply a bad idea.

Splunk is not a bulk email solution and you can hit many obstacles like relaying problems. As a rule of thumb, you should not need to use sendmail command at all.

Also the use of the map command however "formally correct" is not the advised way to do things if you can avoid it - it spawns a separate search for every single row of results of the main search.

0 Karma
Reply
Solved! Jump to solution

DS904458
Explorer
‎05-08-2022 10:36 PM

Any chance I could send the result row by row with a table structure like this? (including header, and box)

Test_ProjectTest_SiteFailed_Test_Items
Mobile_DDBItem_6
Item_7
0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-09-2022 12:30 AM

@DS904458 - Not possible unless you are writing your own alert action to send multiple emails based on results in this format.

 

References:

https://docs.splunk.com/Documentation/Splunk/8.2.6/AdvancedDev/ModAlertsIntro

https://docs.splunk.com/Documentation/AddonBuilder/4.1.0/UserGuide/CreateAlertActions 

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...