Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Send Separate Alert Email notification based on email column and result returned

Poojitha
Communicator
‎03-27-2025 10:25 PM

Hi All,

I have a lookup that contains set of email ids and associated accounts.

Example : 

Account ID

OWNER_EMAIL

34234234

test1@gmail.com; test2@gmail.com

123234234

test3@gmail.com;test4@gmail.com


<logic>
| eval email_list = split(OWNER_EMAIL, ";")
| stats values(email_list) as email_list values(ENVIRONMENT) as ENVIRONMENT values(category) as EVENT_CATEGORY values(EVENT_TYPE) as EVENT_TYPE values(REGION) as Region values(AFFECTED_RESOURCE_ARNS) as AFFECTED_RESOURCE_ARNS.

I have configured $result.email_list$ in alert action - email.to setting. Email is getting sent successfully but all of the result together is sent to email recepient.

Result :

Account ID

 Email_list

Environment

Category

Type

Region

Arns

Description

34234234

test1@gmail.com; test2@gmail.com

Development

test_cat1

Event1

global

testarn1

testdescr1

123234234

test3@gmail.com;test4@gmail.com

Production

test_cat2

Event2

global

testarn2

testdescr2


When alert is triggered, separate email should go to test1@gmail.com; test2@gmail.com with both of them in to field  with email body containing only first row and another email should go to test3@gmail.com;test4@gmail.com with  both of them in to field with email body containing only second row. Please help how to achieve this.

Regards,
PNV

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-27-2025 11:58 PM

Hi @Poojitha ,

when you create the alert, use the $row.OWNER_EMAIL$ token in the "Send to" field,

remembering to separate alerts results (one alert for each results) in the alert options.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...