Splunk Search

How to create a token from a field (email_id) and pass the token to the sendemail command in an inline search?

New Member

Hi experts

I have one search where I am extracting username from a Windows event and using a static lookup table to extract the email_id of that username. Now I have to pass this field email_id as a token to the sendemail command or in an alert. If it is possible, please let me know the solution.

0 Karma

New Member
eventtype="wineventlog_windows" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="4720" Type="*" source="WinEventLog:Security" sourcetype="WinEventLog:Security" | lookup mail username as src_user output emailid as email_id | sendemail to="$result.email_id$" server=mycompanymailserver

The search above is what I'm trying to do. I am capturing an event 4720 on a Windows server. I'm extracting email_id from a lookup table and that email_id has the email address. Now I want to pass this email_id to my alert settings so alerts should go to the value mentioned in email_id.

0 Karma

Yes it is possible.

From results, you use the " result.token " to access the
first value of a specified field in search results.
This token is available from the following contexts:

Alert actions
Scheduled reports
Token Description

$result.fieldname$
Returns the first value for the specified field name from the first
result in the search. The field name must be present in the
search.

see this:

docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

0 Karma