I have one search where I am extracting username from a Windows event and using a static lookup table to extract the email_id of that username. Now I have to pass this field email_id as a token to the sendemail command or in an alert. If it is possible, please let me know the solution.
eventtype="wineventlog_windows" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="4720" Type="*" source="WinEventLog:Security" sourcetype="WinEventLog:Security" | lookup mail username as src_user output emailid as email_id | sendemail to="$result.email_id$" server=mycompanymailserver
The search above is what I'm trying to do. I am capturing an event 4720 on a Windows server. I'm extracting email_id from a lookup table and that email_id has the email address. Now I want to pass this email_id to my alert settings so alerts should go to the value mentioned in email_id.