I want to send an alert to each Employee once a day with a stats table customized to that employee: for instance the search looks similar to:
user="username" result="hit" OR result="miss" | stats earliest(_time), count, dc(result), max(score) by referer
How can I divide this into multiple tables, one for each username that splunk finds and send each user their own table?
I know that I can use the variable $result.user$ in my alert in the To: field like $result.user$@ourdomain.com
I want to send a customized table to each user. So james@ourdomain.com would receive the results of
user="james" result="hit" OR result="miss" | stats earliest(_time), count, dc(result), max(score) by referer
but jill@ourdomain.com would receive the results of
user="jill" result="hit" OR result="miss" | stats earliest(_time), count, dc(result), max(score) by referer
etc.
Since there are several hundred users and they come and go the alert should just generate a table for each user that it finds and attempt to email the results to that user.
... View more