I got your requirement now, here's what you can try: 1. In the Index field in your datamodel, append the results of your lookup (inputlookup append=t your_lookup.csv) 2. In the calculated fields, use the option of extract more fields, and use Auto extracted fields and check if you can find your desired field there, if yes, just add it to your datamodel. 3. If you cannot find it via Auto extract, you can always go for the trusted Regular Expressions. Try this and let me know if it works. S If it helps, please accept it as an answer. ... View more

I've tried many different combinations and got it working with the map search command. When I used the map command with sendemail, the variables changed from $result.field$ to $field$, to use the field as a variable. I also had to escape the quotation marks within the map command. Here is my search query that worked for anyone else facing the same issue. | inputlookup ActiveDirectory_Users.csv | eval AccountExpiryEpoch=strptime(accountExpires,"%Y-%m-%dT%H:%M:%S%Z") | where AccountExpiryEpoch < relative_time(now(),"+30d@d") AND AccountExpiryEpoch >=now() | eval AccountExpiresTime=strftime(AccountExpiryEpoch ,"%A, %e %B %Y") | eval AccountExpiresDate=strftime(AccountExpiryEpoch ,"%d/%m/%Y %I:%M:%S %p") | eval UppergivenName = upper(substr(givenName,1,1)).lower(substr(givenName,2)) | eval Uppersn = upper(substr(sn,1,1)).lower(substr(sn,2)) | map search=" | sendemail from=\"helpdeskemail\" to=\"$mail$\" bcc=helpdeskemail subject=\"Account Expiring\" message=" Dear $UppergivenName$ $Uppersn$, Your account ($UppergivenName$ $Uppersn$) is due to expire on $AccountExpiresTime$. \" " ... View more

Perfect @dkorlat. ... View more

Thanks worked perfectly. ... View more

I have the users email address from Active Directory in the lookup table. Is there a way Splunk can turn the users email address into a variable then send a email to the individual email addresses it finds in the report? Currently we send the report to the Service Desk and the Service Desk calls the user advising them they need to start the process in getting their accounts extended. It will be nice if Splunk could also email the users. ... View more

Thanks This solved the problem: index=safend source=Safend_DataEventsView sourcetype=dbx2 [| ldapsearch domain=internal.local basedn="OU=Finance,OU=Users,DC=internal,DC=local" scope="sub" search="(objectClass=user)" | eval User =lower(userPrincipalName) | fields User] | sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | replace 0 with Read, 1 with Write | eval megabytes=((FileSize/1024)/1024) | eval "File Size"= megabytes + " MB" | table _time, User, FileName, FileExtension, ClientHost, DeviceDescription, FileOperation, "File Size" , IPAddresses, PolicyName, ClientVersion | rename _time as Time, DeviceDescription as "Device Description", FileName as "File Name", FileExtension as "File Extension", ClientHost as "From PC", FileOperation as "File Operation", PolicyName as "Policy Name", IPAddresses as "IP Address", ClientVersion as "Client Version" ... View more