Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are empty emails being sent using map & sendemail commands in my search and how do I prevent this?

splunkrocks2014
Communicator
‎06-09-2016 11:13 AM

Hi.

I tried to send an email for each event when triggered. I used map and sendemail commands, but there is an empty email always sent out, regardless if there is any event found. How can I stop sending an empty email? Thanks.

index=xyz user=U12345 OR user=X12345
| table _time hostname user
| eval report_time=strftime(_time, "%d %b %Y %H:%M:%S")
| eval subject=$report_time$ + ", user, " + $user$ + " logged on to server " + $hostname$
|stats count by subject
| map [ search | eval subject=$subject$ | stats count by subject | fields - count | sendemail server=mail.server.net from=xyz to=abc subject=$result.subject$ sendresults=true]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-12-2016 10:43 AM

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error: 

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-12-2016 10:43 AM

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error: 

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

0 Karma
Reply
Solved! Jump to solution

wangjianiu
Explorer
‎04-29-2021 11:12 PM

does this finally work? i have a similar query to trigger the sendemail inside the map command, but I got "2021-04-30 04:05:59,276 +0000 ERROR sendemail:1428 - [HTTP 403] Client is not authorized to perform requested action" error in index=_internal source=*python.log*, but the sendemail works if I run separately, some post said the script inside map missed the context, do you know how we could fix this? 

0 Karma
Reply
Solved! Jump to solution

adamsmith47
Communicator
‎03-29-2018 08:12 AM

Just wanted to comment here about the method of

... | outputcsv TempFile.csv
| ...
| ...
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv Tempfile.csv]

I've been attempting to get something like this working, with no success, and I've just realized why. The [|inputcsv Tempfile.csv] subsearch executes first (as subsearches do), so when the search reaches the line of | append [|inputcsv Tempfile.csv], it appends whatever events existed in the Tempfile.csv at the BEGINING of the search, not what was populated into the file with | outputcsv Tempfile.csv.

Took me a while to figure this out.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-09-2016 11:45 AM

Give this a try
Updated 

index=xyz user=U12345 OR user=X12345
 | table _time hostname user
 | eval report_time=strftime(_time, "%d %b %Y %H:%M:%S")
 | eval subject=$report_time$ + ", user, " + $user$ + " logged on to server " + $hostname$
 |stats count by subject
 | map [ | gentimes start=-1 | eval subject="$subject$" |table subject| sendemail server=mail.server.net from=xyz to=abc subject=$result.subject$ sendresults=true format=table inline=true]
0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎06-09-2016 11:56 AM

Hi somesoni2, thank you for your respond. I am still getting an email with the following contents:

"Search results.
No results found.
"

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-09-2016 12:12 PM

Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎06-09-2016 12:37 PM

still getting empty email with the following contents:

Search results.
subject
$subject$

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...