Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sendemail to a field value - without script?

bcusick
Communicator
‎05-22-2014 08:52 AM

Hi, I am trying to send search results to an email address using the sendemail command.

If I "hardcode" the to field in my sendemail command, this works great. However the goal is to send the email to a field value from the search itself..so..

source=reallyBadUsers | Table User, Manager, ManagerEmailAddr | sendemail to=$ManagerEmailAddr$ sendresults=true priority=high subject="This guy is really bad" server=x.x.x.x

Obviously I've learned that $ManagerEmailAddr$ is not going to work.

How can I work around this? The "to" address will be dependent on the ManagerEmailAddr from the search.

Thanks,

Brian

0 Karma
Reply

splunkyfun12721
Loves-to-Learn Lots
‎03-02-2021 11:22 AM

Hi,

I ran into the same problem and here is how I get it to work by referencing the Result tokens part in Splunk's documentation.

 

<Base search> 
| table User, EmailAddress 
| sendemail to=$result.EmailAddress$ from="me@example.com" ...

 

 

https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens

0 Karma
Reply

Nicolo_Figiani
Path Finder
‎08-26-2016 05:40 AM

Hi,
you should go for the "sendresults Command": https://splunkbase.splunk.com/app/1794 (details here: app details)

This app basically configures a custom command that allows you to:

Dynamically evaluate who to send
results to, based upon the results of
the search itself

I used it in the past and it works charmingly..

Hope this helps,
regards

0 Karma
Reply

pallavibalasa
Explorer
‎08-26-2016 12:22 AM

Hi,
I had same issue. The above query did not send email also. Please let me know if you are able to get the solution.

Regards,
Pallavi

0 Karma
Reply

somesoni2
Revered Legend
‎05-22-2014 09:51 AM

Try this

source=reallyBadUsers | Table User, Manager, ManagerEmailAddr | sendemail [source=reallyBadUsers | Table ManagerEmailAddr | mvcombine delim="," ManagerEmailAddr | nomv ManagerEmailAddr  | rename ManagerEmailAddr as to]  sendresults=true priority=high subject="This guy is really bad"
Reply

lim2
Communicator
‎11-19-2019 05:43 AM

Hi somesoni2,

From your above example, I got following query which is supposed send an email of the result, if result > 0 to predefined user email. The src_email needs to be dynamically set. But it is sending the email even though there is no result. Please advise how to update it to only sendemail when result > 0. Thanks



 earliest=-60m@m index=network comment="Comment" 

| dedup local_start_time src_name src_number src_email src_site src_location dest_name dst_number 

| table local_start_time src_name src_number src_email src_site src_location dest_name dst_number 

| eval from=src_email | sendemail 

    [ search earliest=-60m@m index=network comment="Comment" 

    | dedup local_start_time src_name src_number src_email src_site src_location dest_name dst_number 

    | table src_email 

    | rename src_email as from] to="mike@company.org" format=table subject="Comment" server=mail.company.org sendresults=true inline=true

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top