- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: sending emails to users that appear in search ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The question was asked before but I couldn't find a good answer anywhere. Here goes...
I have a search result with multiple lines and the first column consists of emails of different persons that I need email.
The rest of the columns also have information that needs to be included in the email. the information is different for each person/row.
How can I send multiple emails to different recipients using sendmail with the recipient being the name in the first column and the email itself has information from the rest of the columns.
Thanks.
Assaf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's say your search results return fields named recipient, data1, data2, and data3, and you'd like to send the contents of the fields named data* to the user named in the recipient field. Here's how you'd do that:
your base search
| map search
[ | sendemail to=$recipient$ subject="some subject" from=youremail@yourself.com message="$data1$ and then more $data2$ and finally some $data3$" ]
This will run the subsearch once for each line of results from the base search, effectively shepherding the values from recipient and data* into the subsearch together.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While you already have an answer, I'd suggest you also have a look at sendresults, this can be useful for emailing the results of a search on a per-user basis...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.. I'll look into that also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's say your search results return fields named recipient, data1, data2, and data3, and you'd like to send the contents of the fields named data* to the user named in the recipient field. Here's how you'd do that:
your base search
| map search
[ | sendemail to=$recipient$ subject="some subject" from=youremail@yourself.com message="$data1$ and then more $data2$ and finally some $data3$" ]
This will run the subsearch once for each line of results from the base search, effectively shepherding the values from recipient and data* into the subsearch together.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks elliotproebstel,
when running your suggestion as is Splunk threw an error but some digging got me to the correct syntax (Adding it below for future referencing)
base_search
| map search="sendemail to= subject=\"need_to_escape\" from= message=\"$data1$ and then more $data2$ and finally some $data3$\" sendresults=true inline=true format=raw"
Thanks, accepting as answer.
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
