Splunk Search

How to create a token from a field (email_id) and pass the token to the sendemail command in an inline search?

New Member

Hi experts

I have one search where I am extracting username from a Windows event and using a static lookup table to extract the email_id of that username. Now I have to pass this field email_id as a token to the sendemail command or in an alert. If it is possible, please let me know the solution.

0 Karma

New Member
eventtype="wineventlog_windows" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="4720" Type="*" source="WinEventLog:Security" sourcetype="WinEventLog:Security" | lookup mail username as src_user output emailid as email_id | sendemail to="$result.email_id$" server=mycompanymailserver

The search above is what I'm trying to do. I am capturing an event 4720 on a Windows server. I'm extracting email_id from a lookup table and that email_id has the email address. Now I want to pass this email_id to my alert settings so alerts should go to the value mentioned in email_id.

0 Karma

Yes it is possible.

From results, you use the " result.token " to access the
first value of a specified field in search results.
This token is available from the following contexts:

Alert actions
Scheduled reports
Token Description

Returns the first value for the specified field name from the first
result in the search. The field name must be present in the

see this:


0 Karma