Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk - Sendemail for each output row

vamsigurram
Path Finder
‎03-26-2021 11:01 AM

Hi,

I have a tabular results of folks, who are using index=* in their searches.

So i have SPL that outputs below

UserapptitleSPLemail
user1searchxyzindex=*abc\@test.com
user2app1abcindex=* source=*user2\@test.com

 

WHen i add the below command, i see email of all the results in the table.

| sendemail to="abc@test.com" format=table subject=myresults sendresults=true inline=true

 

But i want user1, to get only his/her result

Similarly user2, should get only his/her result.

 

SO i tried below. but none worked.

| map [|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true]

| map [sendemail to="$email$" format=table subject=myresults sendresults=true inline=true]

 

| map  search="|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true"

| map  search="sendemail to="$email$" format=table subject=myresults sendresults=true inline=true"

 

Please let me know the right syntax.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎03-28-2021 08:45 AM

@vamsigurram 

The map command has access to field values through replacement tokens. Try something like this:

| map search="| makeresults | sendemail to=\"$email$\" subject=\"myresults\" message=\"User,app,title,SPL,email\n\\\"$User$\\\",\\\"$app$\\\",\\\"$title$\\\",\\\"$SPL$\\\",\\\"$email$\\\"\""

If this is an alert search, you can configure the alert itself to trigger one email action per result and use $result.email$ in the To action argument.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vamsigurram
Path Finder
‎03-28-2021 06:41 PM

Thanks @tscroggins

This is exactly, what i wanted.

Both your suggestions worked.

0 Karma
Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎03-28-2021 08:45 AM

@vamsigurram 

The map command has access to field values through replacement tokens. Try something like this:

| map search="| makeresults | sendemail to=\"$email$\" subject=\"myresults\" message=\"User,app,title,SPL,email\n\\\"$User$\\\",\\\"$app$\\\",\\\"$title$\\\",\\\"$SPL$\\\",\\\"$email$\\\"\""

If this is an alert search, you can configure the alert itself to trigger one email action per result and use $result.email$ in the To action argument.

0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...