Splunk Search

not sendemail if "Results not found"


Hi. I'm trying to selectively send emails (using sendemail); if the output of the query is "No results found" or "No results", I don't want to send emails.

here's my cli command:

splunk search "|savedsearch hello|sendemail to=admin@example.com from=server@example.com sendresults=true format=html inline=true subject=splunk_log"

hello is a generic query returning nothing

Do it like this:

... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:"
| rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error."
| rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that."
| eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null())
| sendemail

The caveat of this is that the email address must exist in the resultset, otherwise it assumes it's null. This means all your emails will have the field "valueForToHeader" at the end of all the columns. Could be worse, but could be much better.

If, in the case that you don't want to email if there are no results, you don't even need to put in an if statement. If there are no events, there can be no event where you can eval a value to a field -- therefore it will still try to send as null.

Tested the following scenarios:

| makeresults | eval to_address="test_address@company.com" | sendemail to=$result.to_address$ subject="Test Email"

This works

| makeresults | eval to_address="test_address@company.com" | table _time | sendemail to=$result.to_address$ subject="Test Email"

This does not work (null to address)

| makeresults | eval to_address="test_address@company.com", temp="something" | search temp="somethingelse" | sendemail to=$result.to_address$ subject="Test Email"

This does not work (null to address)

Dirty way to do it, but effective!

Also a good way to email users who do bad things...

| eval to=case(_raw!="","whoz-at-who.com") | sendemail to=$result.to$

Having the same issue. Is there a way when using the sendemail command to only send email if there are results?

Do you execute the search (result of which you want to email) manually on adhoc basis?

