Splunk Search

Splunk - Sendemail for each output row

vamsigurram
Path Finder

Hi,

I have a tabular results of folks, who are using index=* in their searches.

So i have SPL that outputs below

UserapptitleSPLemail
user1searchxyzindex=*abc\@test.com
user2app1abcindex=* source=*user2\@test.com

 

WHen i add the below command, i see email of all the results in the table.

| sendemail to="abc@test.com" format=table subject=myresults sendresults=true inline=true

 

But i want user1, to get only his/her result

Similarly user2, should get only his/her result.

 

SO i tried below. but none worked.

| map [|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true]

| map [sendemail to="$email$" format=table subject=myresults sendresults=true inline=true]

 

| map  search="|sendemail to="$email$" format=table subject=myresults sendresults=true inline=true"

| map  search="sendemail to="$email$" format=table subject=myresults sendresults=true inline=true"

 

Please let me know the right syntax.

Labels (1)
0 Karma
1 Solution

tscroggins
Influencer

@vamsigurram 

The map command has access to field values through replacement tokens. Try something like this:

| map search="| makeresults | sendemail to=\"$email$\" subject=\"myresults\" message=\"User,app,title,SPL,email\n\\\"$User$\\\",\\\"$app$\\\",\\\"$title$\\\",\\\"$SPL$\\\",\\\"$email$\\\"\""

If this is an alert search, you can configure the alert itself to trigger one email action per result and use $result.email$ in the To action argument.

View solution in original post

0 Karma

vamsigurram
Path Finder

Thanks @tscroggins

This is exactly, what i wanted.

Both your suggestions worked.

0 Karma

tscroggins
Influencer

@vamsigurram 

The map command has access to field values through replacement tokens. Try something like this:

| map search="| makeresults | sendemail to=\"$email$\" subject=\"myresults\" message=\"User,app,title,SPL,email\n\\\"$User$\\\",\\\"$app$\\\",\\\"$title$\\\",\\\"$SPL$\\\",\\\"$email$\\\"\""

If this is an alert search, you can configure the alert itself to trigger one email action per result and use $result.email$ in the To action argument.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...