Hi all,
I'm not a English native speaker, but I will do my best to explain ther question.
To be clear, I need done this in "Report". So that means I can't use a saved job as in Dashboard.
So I need done this in a single search, I guess.
I did some previous search, and get a result table like this below table:
Test_Project | Test_Site | Failed_Test_Items | Test_Admin_Email |
Notebook_XX | A | Item_1 Item_5 Item_7 | dog@mail.com, cat@mail.com, bird@mail.com |
Mobile_DD | A | Item_1 Item_2 | dog@mail.com |
Notebook_XX | B | Item_3 | cat@mail.com |
Mobile_DD | B | Item_6 Item_7 | bird@mail.com, cat@mail.com |
Faild_Test_Items is a multi-value column.
Test_Admin_Email is a single-string column.
Anyway, I need send email about the testing result row by row.
For example, send this to 3 different email address: dog@mail.com, cat@mail.com, bird@mail.com
Test_Project | Test_Site | Failed_Test_Items |
Notebook_XX | A | Item_1 Item_5 Item_7 |
And send this to two email address: bird@mail.com, cat@mail.com
Test_Project | Test_Site | Failed_Test_Items |
Mobile_DD | B | Item_6 Item_7 |
Every row will represent different email.
So in this case, I will send 4 emails.
And it need to be done by Report, because I need schedule it.
Please help me in a simple way, maybe use some simple examples.
I am still a Splunk noob.
@DS904458 - You can extend your search with sendemail command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Sendemail )
<your search>
| map search="| sendemail to=$Test_Admin_Email$ subject=\"some subject\" message=\"Test_Project=$Test_Project$, Test_Site=$Test_Site$, Failed_Test_Items=$Failed_Test_Items$\" "
Please read here about the map command as it has some limitations on how many results it can process. - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map
I hope this helps!!!
@DS904458 - You can extend your search with sendemail command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Sendemail )
<your search>
| map search="| sendemail to=$Test_Admin_Email$ subject=\"some subject\" message=\"Test_Project=$Test_Project$, Test_Site=$Test_Site$, Failed_Test_Items=$Failed_Test_Items$\" "
Please read here about the map command as it has some limitations on how many results it can process. - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map
I hope this helps!!!
It ain't that easy. Especially because of the need to handle multivalued fields (multiple recipients) properly. And it's simply a bad idea.
Splunk is not a bulk email solution and you can hit many obstacles like relaying problems. As a rule of thumb, you should not need to use sendmail command at all.
Also the use of the map command however "formally correct" is not the advised way to do things if you can avoid it - it spawns a separate search for every single row of results of the main search.
Any chance I could send the result row by row with a table structure like this? (including header, and box)
Test_Project | Test_Site | Failed_Test_Items |
Mobile_DD | B | Item_6 Item_7 |
@DS904458 - Not possible unless you are writing your own alert action to send multiple emails based on results in this format.
References:
https://docs.splunk.com/Documentation/Splunk/8.2.6/AdvancedDev/ModAlertsIntro
https://docs.splunk.com/Documentation/AddonBuilder/4.1.0/UserGuide/CreateAlertActions