Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- expiry notification use case
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
expiry notification use case
avi123
Explorer
01-09-2025
03:18 AM
Hi All,
I have designed a splunk query:
| inputlookup Expiry_details_list.csv
| lookup SupportTeamEmails.csv Application_name OUTPUT Owner_Email_address Ops_Leads_Email_address Escalation_Contacts_Email_address
| eval Expiry_Date = strptime(Expiry_date, "%m/%d/%Y")
| eval Current_Time = now()
| eval Expiry_Date_Timestamp = strftime(Expiry_Date, "%Y/%m/%d %H:%M:%S")
| eval Days_until_expiry = round((Expiry_Date - Current_Time) / 86400, 0)
| eval alert_type = case(
Days_until_expiry <= 7, "Owner",
Days_until_expiry <= 15, "Support",
Days_until_expiry < 1, "Expired",
Days_until_expiry > 15, "Others",
true(), "None")
| search alert_type != "None"
| eval email_list = case(
alert_type == "Owner", Escalation_Contacts_Email_address,
alert_type == "Support", Ops_Leads_Email_address,
alert_type == "Expired", mvappend(Owner_Email_address, Ops_Leads_Email_address, Escalation_Contacts_Email_address),
true(), "None")
| eval email_list = split(mvjoin(email_list, ","), ",")
| eval cc_email_list = case(
alert_type == "Owner", Owner_Email_address,
alert_type == "Support", Owner_Email_address,
true(), "None")
| eval cc_email_list = split(mvjoin(cc_email_list, ","), ",")
| dedup Application_name Environment email_list
| eval email_recipient = mvdedup(email_list)
| eval email_recipient = mvjoin(email_recipient, ",")
| eval email_cc = mvdedup(cc_email_list)
| eval email_cc = mvjoin(email_cc, ",")
| table Application_name, Environment, Type, Sub_Type, Expiry_Date_Timestamp, Days_until_expiry, email_recipient, email_cc
| fields - alert_type, Owner_Email_address, Ops_Leads_Email_address, Escalation_Contacts_Email_addressNow this is returning output as provided in the attached file, what I am expecting is in email_list it should return only Escalation_contacts_email_address and in cc_email_list it should merge the email address of Owner_Email_address and Ops_Leads_Email_address seperated by a comma when the alert_type == "Expired"
How do I get this using splunk query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
defection-io
Explorer
01-10-2025
01:36 PM
Hi @avi123 ,
I'm not 100% sure if I understood the requirements, but I'm giving it a shot here. Let me know if this works for you:
| inputlookup Expiry_details_list.csv
| lookup SupportTeamEmails.csv Application_name OUTPUT Owner_Email_address Ops_Leads_Email_address Escalation_Contacts_Email_address
| eval Expiry_Date = strptime(Expiry_date, "%m/%d/%Y")
| eval Current_Time = now()
| eval Expiry_Date_Timestamp = strftime(Expiry_Date, "%Y/%m/%d %H:%M:%S")
| eval Days_until_expiry = round((Expiry_Date - Current_Time) / 86400, 0)
| eval alert_type = case(
Days_until_expiry <= 7, "Owner",
Days_until_expiry <= 15, "Support",
Days_until_expiry < 1, "Expired",
Days_until_expiry > 15, "Others",
true(), "None")
| search alert_type != "None"
| eval email_list = case(
alert_type == "Owner", Escalation_Contacts_Email_address,
alert_type == "Support", Ops_Leads_Email_address,
alert_type == "Expired", Escalation_Contacts_Email_address,
true(), "None")
| eval cc_email_list = case(
alert_type == "Owner", Owner_Email_address,
alert_type == "Support", Owner_Email_address,
alert_type == "Expired", mvappend(Owner_Email_address, Ops_Leads_Email_address),
true(), "None")
| eval email_list = split(mvjoin(email_list, ","), ",")
| eval cc_email_list = split(mvjoin(cc_email_list, ","), ",")
| dedup Application_name Environment email_list
| eval email_recipient = mvdedup(email_list)
| eval email_recipient = mvjoin(email_recipient, ",")
| eval email_cc = mvdedup(cc_email_list)
| eval email_cc = mvjoin(email_cc, ",")
| table Application_name, Environment, Type, Sub_Type, Expiry_Date_Timestamp, Days_until_expiry, email_recipient, email_cc
| fields - alert_type, Owner_Email_address, Ops_Leads_Email_address, Escalation_Contacts_Email_address
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
How to find the worst searches in your Splunk environment and how to fix them
Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...
Share Your Feedback: On Admin Config Service (ACS)!
Help Us Build a Better Admin Config Service Experience (ACS)
We Want Your Feedback on Admin Config Service ...
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...
