Splunk Search

Why are empty emails being sent using map & sendemail commands in my search and how do I prevent this?

Communicator

Hi.

I tried to send an email for each event when triggered. I used map and sendemail commands, but there is an empty email always sent out, regardless if there is any event found. How can I stop sending an empty email? Thanks.

index=xyz user=U12345 OR user=X12345
| table _time hostname user
| eval report_time=strftime(_time, "%d %b %Y %H:%M:%S")
| eval subject=$report_time$ + ", user, " + $user$ + " logged on to server " + $hostname$
|stats count by subject
| map [ search | eval subject=$subject$ | stats count by subject | fields - count | sendemail server=mail.server.net from=xyz to=abc subject=$result.subject$ sendresults=true] 
0 Karma
1 Solution

Esteemed Legend

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error:

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

View solution in original post

0 Karma

Esteemed Legend

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv TempFile.csv]

The only downside to this approach is that If the search does not return any results it will produce the following error:

"Error in "map": Did not find value for required attributes 'emailToHeader'

This is "normal" and I have not found a good way to code around it.

View solution in original post

0 Karma

Path Finder

Just wanted to comment here about the method of

... | outputcsv TempFile.csv
| ...
| ...
| where comment="MakeSureNoEventsRemain"
| append [|inputcsv Tempfile.csv]

I've been attempting to get something like this working, with no success, and I've just realized why. The [|inputcsv Tempfile.csv] subsearch executes first (as subsearches do), so when the search reaches the line of | append [|inputcsv Tempfile.csv], it appends whatever events existed in the Tempfile.csv at the BEGINING of the search, not what was populated into the file with | outputcsv Tempfile.csv.

Took me a while to figure this out.

0 Karma

SplunkTrust
SplunkTrust

Give this a try
Updated

index=xyz user=U12345 OR user=X12345
 | table _time hostname user
 | eval report_time=strftime(_time, "%d %b %Y %H:%M:%S")
 | eval subject=$report_time$ + ", user, " + $user$ + " logged on to server " + $hostname$
 |stats count by subject
 | map [ | gentimes start=-1 | eval subject="$subject$" |table subject| sendemail server=mail.server.net from=xyz to=abc subject=$result.subject$ sendresults=true format=table inline=true] 
0 Karma

Communicator

Hi somesoni2, thank you for your respond. I am still getting an email with the following contents:

"Search results.
No results found.
"

0 Karma

SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma

Communicator

still getting empty email with the following contents:

Search results.
subject
$subject$

0 Karma