Solved: How do you show all search results in an email not...

pinkyyu · ‎01-03-2019

I use the below search command with email notification query:

src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path | stats list(file_path) list(time_detected) AS time by src user*

the email content will consist of the below information
Antivirus information:
Date (UTC-0): $$result.time_detected$$
Machine name: $$result.src$$
Username: $$result.user$$
Path: $$result.file_path$$

However, the result of email content will become below:

Antivirus information:
Date (UTC-0):
Machine name: BDDH2591
Username: chsab
Path:

The date and time details are missing.

What can be done?

renjith_nair · ‎01-03-2019

@pinkyyu ,

The fields in your last stats command and fields in your email do not match .
Field in email: $$result.time_detected$$ -> field in search time
Filed in email : $$result.file_path$$ -> Field in search list(file_path)

Change the search or change fields in email

e.g.

src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path 
| stats list(file_path) as  file_path,list(time_detected) AS time_detected by src user*

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎01-03-2019

@pinkyyu ,

The fields in your last stats command and fields in your email do not match .
Field in email: $$result.time_detected$$ -> field in search time
Filed in email : $$result.file_path$$ -> Field in search list(file_path)

Change the search or change fields in email

e.g.

src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path 
| stats list(file_path) as  file_path,list(time_detected) AS time_detected by src user*

---
What goes around comes around. If it helps, hit it with Karma 🙂

pinkyyu · ‎01-03-2019

but the format of the email notification is not good. any way to make it good?
Antivirus information:
Date (UTC-0): 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM
Machine name: BDDH2591
Username: chsab
Path: D:\100MSDCF.lnk D:\293267_2228137858557_1101133293_32911494_1364880061_n.lnk D:\autorun.lnk D:\Bank CV.lnk D:\Bio-Data of Shumi.lnk D:\Color Songs - .lnk D:\Copy of Shortcut to (1).lnk D:\Copy of Shortcut to (2).lnk D:\Copy of Shortcut to (3).lnk D:\Copy of Shortcut to (4).lnk D:\100MSDCF.lnk D:\293267_2228137858557_1101133293_32911494_1364880061_n.lnk D:\autorun.lnk D:\Bank CV.lnk D:\Bio-Data of Shumi.lnk D:\Color Songs - .lnk D:\DSC_0025.lnk D:\DSC_0027.lnk D:\DSC_0028.lnk D:\DSC_0173.lnk D:\DSC_0174.lnk D:\joined-all.lnk D:\Learn all Forms of Arabic Alphabet Letters (Beginning, Middle & End of a Word).lnk D:\MOA.lnk 😧
asim b day.lnk D:\Phonics Song .lnk D:\Pics.lnk D:\RECYCLER.lnk D:\rrrr.lnk D:\Rujaan b day.lnk D:\Ruma_CV.lnk D:\Saiful.lnk D:\SIVC.lnk D:\The Annoying Orange.lnk D:\Twinkle Twinkle Little Star.lnk D:\videoplayback_11.lnk D:\videoplayback_15.lnk D:\videoplayback_16.lnk

renjith_nair · ‎01-04-2019

you may combine those multivalue field and then expand them to get one event per row. Also select Inline table for the result in email settings

 src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path 
 | stats list(file_path) as  file_path,list(time_detected) AS time_detected by src user*
 | eval x=mvzip(file_path,time_detected,"#")|table src,user,x
 | mvexpand x|rex field=x "(?<file_path>.+)#(?<time_detected>.+)"|fields - x

---
What goes around comes around. If it helps, hit it with Karma 🙂

pinkyyu · ‎01-06-2019

after testing the modified search, the format in email is the same. All file paths are shown together.

Does it the constraint of the email notification?

Date (UTC-0): 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM
Machine name: BDDH2591
Username:
Path: D*:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\100MSDCF.lnk D:\COOL.vbs D:\COOL.vbs D:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\100MSDCF.lnk D:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\COOL.vbs D:\100MSDCF.lnk*

renjith_nair · ‎01-06-2019

How are you getting this in the result from splunk search head? Are these in single filed or multiple rows? And are you sending them in table in email ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

pinkyyu · ‎01-06-2019

i created a dashboard and use below command with mentioned search command to trigger the email notification via dashboard

|sendemail to="$email$," from="XXX@com>" subject="Information ($case_id$)" message="Dear $name$,
Details:
Date (UTC-0): $$result.time_detected$$
Machine name: $$result.src$$
Username: $$result.user$$
Path: $$result.file_path$$

How do you show all search results in an email notification?

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Data Persistence in the OpenTelemetry Collector

Thanks for the Memories! Splunk University, .conf25, and our Community

Are you a member of the Splunk Community?

How do you show all search results in an email notification?

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Data Persistence in the OpenTelemetry Collector

Thanks for the Memories! Splunk University, .conf25, and our Community