Hi @woodcock. This is very helpful, and somewhat of a game changer in sending dynamic alerts from Splunk. Thank you! I did have a quick question about outputcsv. From what I've read, outputlookup writes to a lookup file that replicates across a search head cluster, while outputcsv just writes a CSV in the current search head's var/run directory. I'm looking to have this result dataset NOT be persistent. Do you have any recommendations about creating a result dataset for the map command that will age out after the search is run, or some configurable time after? ... View more

Just use a stats by email address at the end. Then will have only one email per recipient. ... View more

Hi, I ran into the same problem and here is how I get it to work by referencing the Result tokens part in Splunk's documentation.   <Base search> | table User, EmailAddress | sendemail to=$result.EmailAddress$ from="me@example.com" ...     https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens ... View more