Hi.
I tried to send an email for each event when triggered. I used map
and sendemail
commands, but there is an empty email always sent out, regardless if there is any event found. How can I stop sending an empty email? Thanks.
index=xyz user=U12345 OR user=X12345
| table _time hostname user
| eval report_time=strftime(_time, "%d %b %Y %H:%M:%S")
| eval subject=$report_time$ + ", user, " + $user$ + " logged on to server " + $hostname$
|stats count by subject
| map [ search | eval subject=$subject$ | stats count by subject | fields - count | sendemail server=mail.server.net from=xyz to=abc subject=$result.subject$ sendresults=true]
This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...
If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:
... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
| fields - Email_Address
| sendemail
sendresults=true inline=true
server=\"Your.Value.Here\"
from=\"Your.Value.Here\"
to=\"$emailToHeader$\"
subject=\"Your Subject here: \$name\$\"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv TempFile.csv]
The only downside to this approach is that If the search does not return any results it will produce the following error:
"Error in "map": Did not find value for required attributes 'emailToHeader'
This is "normal" and I have not found a good way to code around it.
This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...
If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:
... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
| fields - Email_Address
| sendemail
sendresults=true inline=true
server=\"Your.Value.Here\"
from=\"Your.Value.Here\"
to=\"$emailToHeader$\"
subject=\"Your Subject here: \$name\$\"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv TempFile.csv]
The only downside to this approach is that If the search does not return any results it will produce the following error:
"Error in "map": Did not find value for required attributes 'emailToHeader'
This is "normal" and I have not found a good way to code around it.
does this finally work? i have a similar query to trigger the sendemail inside the map command, but I got "2021-04-30 04:05:59,276 +0000 ERROR sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action" error in index=_internal source=*python.log*, but the sendemail works if I run separately, some post said the script inside map missed the context, do you know how we could fix this?
Just wanted to comment here about the method of
... | outputcsv TempFile.csv
| ...
| ...
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv Tempfile.csv]
I've been attempting to get something like this working, with no success, and I've just realized why. The [|inputcsv Tempfile.csv] subsearch executes first (as subsearches do), so when the search reaches the line of | append [|inputcsv Tempfile.csv], it appends whatever events existed in the Tempfile.csv at the BEGINING of the search, not what was populated into the file with | outputcsv Tempfile.csv.
Took me a while to figure this out.
Give this a try
Updated
index=xyz user=U12345 OR user=X12345
| table _time hostname user
| eval report_time=strftime(_time, "%d %b %Y %H:%M:%S")
| eval subject=$report_time$ + ", user, " + $user$ + " logged on to server " + $hostname$
|stats count by subject
| map [ | gentimes start=-1 | eval subject="$subject$" |table subject| sendemail server=mail.server.net from=xyz to=abc subject=$result.subject$ sendresults=true format=table inline=true]
Hi somesoni2, thank you for your respond. I am still getting an email with the following contents:
"Search results.
No results found.
"
Try the updated answer.
still getting empty email with the following contents:
Search results.
subject
$subject$