sendemail to a field value - without script?

bcusick · ‎05-22-2014

Hi, I am trying to send search results to an email address using the sendemail command.

If I "hardcode" the to field in my sendemail command, this works great. However the goal is to send the email to a field value from the search itself..so..

source=reallyBadUsers | Table User, Manager, ManagerEmailAddr | sendemail to=$ManagerEmailAddr$ sendresults=true priority=high subject="This guy is really bad" server=x.x.x.x

Obviously I've learned that $ManagerEmailAddr$ is not going to work.

How can I work around this? The "to" address will be dependent on the ManagerEmailAddr from the search.

Thanks,

Brian

splunkyfun12721 · ‎03-02-2021

Hi,

I ran into the same problem and here is how I get it to work by referencing the Result tokens part in Splunk's documentation.

<Base search> 
| table User, EmailAddress 
| sendemail to=$result.EmailAddress$ from="me@example.com" ...

https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens

Nicolo_Figiani · ‎08-26-2016

Hi,
you should go for the "sendresults Command": https://splunkbase.splunk.com/app/1794 (details here: app details)

This app basically configures a custom command that allows you to:

Dynamically evaluate who to send
results to, based upon the results of
the search itself

I used it in the past and it works charmingly..

Hope this helps,
regards

pallavibalasa · ‎08-26-2016

Hi,
I had same issue. The above query did not send email also. Please let me know if you are able to get the solution.

Regards,
Pallavi

somesoni2 · ‎05-22-2014

Try this

source=reallyBadUsers | Table User, Manager, ManagerEmailAddr | sendemail [source=reallyBadUsers | Table ManagerEmailAddr | mvcombine delim="," ManagerEmailAddr | nomv ManagerEmailAddr  | rename ManagerEmailAddr as to]  sendresults=true priority=high subject="This guy is really bad"

lim2 · ‎11-19-2019

Hi somesoni2,

From your above example, I got following query which is supposed send an email of the result, if result > 0 to predefined user email. The src_email needs to be dynamically set. But it is sending the email even though there is no result. Please advise how to update it to only sendemail when result > 0. Thanks



 earliest=-60m@m index=network comment="Comment" 

| dedup local_start_time src_name src_number src_email src_site src_location dest_name dst_number 

| table local_start_time src_name src_number src_email src_site src_location dest_name dst_number 

| eval from=src_email | sendemail 

    [ search earliest=-60m@m index=network comment="Comment" 

    | dedup local_start_time src_name src_number src_email src_site src_location dest_name dst_number 

    | table src_email 

    | rename src_email as from] to="mike@company.org" format=table subject="Comment" server=mail.company.org sendresults=true inline=true

sendemail to a field value - without script?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation

sendemail to a field value - without script?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence