Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk - Sendemail for each output row

vamsigurram
Path Finder
‎03-26-2021 11:01 AM

Hi,

I have a tabular results of folks, who are using index=* in their searches.

So i have SPL that outputs below

UserapptitleSPLemail
user1searchxyzindex=*abc\@test.com
user2app1abcindex=* source=*user2\@test.com

 

WHen i add the below command, i see email of all the results in the table.

| sendemail to="abc@test.com" format=table subject=myresults sendresults=true inline=true

 

But i want user1, to get only his/her result

Similarly user2, should get only his/her result.

 

SO i tried below. but none worked.

| map [|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true]

| map [sendemail to="$email$" format=table subject=myresults sendresults=true inline=true]

 

| map  search="|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true"

| map  search="sendemail to="$email$" format=table subject=myresults sendresults=true inline=true"

 

Please let me know the right syntax.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎03-28-2021 08:45 AM

@vamsigurram 

The map command has access to field values through replacement tokens. Try something like this:

| map search="| makeresults | sendemail to=\"$email$\" subject=\"myresults\" message=\"User,app,title,SPL,email\n\\\"$User$\\\",\\\"$app$\\\",\\\"$title$\\\",\\\"$SPL$\\\",\\\"$email$\\\"\""

If this is an alert search, you can configure the alert itself to trigger one email action per result and use $result.email$ in the To action argument.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vamsigurram
Path Finder
‎03-28-2021 06:41 PM

Thanks @tscroggins

This is exactly, what i wanted.

Both your suggestions worked.

0 Karma
Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎03-28-2021 08:45 AM

@vamsigurram 

The map command has access to field values through replacement tokens. Try something like this:

| map search="| makeresults | sendemail to=\"$email$\" subject=\"myresults\" message=\"User,app,title,SPL,email\n\\\"$User$\\\",\\\"$app$\\\",\\\"$title$\\\",\\\"$SPL$\\\",\\\"$email$\\\"\""

If this is an alert search, you can configure the alert itself to trigger one email action per result and use $result.email$ in the To action argument.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...