Reporting

How to get Splunk sendemail command to send multiple emails based on search results?

flle
Path Finder

Hi,

Can the "sendemail" command be used to send multiple emails based on receiver information in the search result? So if I have a result with 10 events and each event contains an email address, I want to send 10 mails with specific information from each Event to 10 different receivers. When I try this, only one mail is sent based on the data of the first event in the search result set.
Example:

search <something>|ldapfilter domain=domainname search="(sAMAccountName=$user$)" attrs="DisplayName,title,givenName,sn,mail"|sendemail to=$result.mail$ server=localhost subject="Mail subject" message="Hallo $result.givenName$, 
Some mail text"

With that search I get a result with usernames and lookup user attributes from AD and want to send one email per search result event based on the specific information of each event. Unfortunately, only one email is sent based on the data of the first event in the result.
Is that a limitation of the sendemail command, a bug or am I missing something?

Thanks for any hints!

Tags (2)
1 Solution

MuS
Legend

Hi flie,

as given in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sendemail you can send emails to multiple recipients like this:

Example 1: Send search results in table format with the subject "myresults".

... | sendemail to="elvis@splunk.com,john@splunk.com" format=raw subject=myresults server=mail.splunk.com sendresults=true

Based on your provided search example, you should add some eval before the sendemail command so its concatenating all found mail values. Take a look at this run everywhere command:

index=_internal | stats values(source) AS mySource | eval otherList=mvjoin(mySource, ", ") | table source, mySource, otherList

otherList would be your to= field for the sendemail command.
So this un-tested search should work:

search <something> 
| ldapfilter domain=domainname search="(sAMAccountName=$user$)" attrs="DisplayName,title,givenName,sn,mail"
| eventstats values(to) AS myTo | eval to=mvjoin(myTo, ", ")
| sendemail server=localhost subject="Mail subject" message="Hallo $result.givenName$, 
Some mail text"

Adapt it to your needs if it's not working right from the start.

cheers, MuS

View solution in original post

sirajnp
Path Finder

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

mcronkrite
Splunk Employee
Splunk Employee

ppablo
Retired

Hi @flle

I just wanted to follow up with this post, but did @MuS' answer below solve your question? If yes, please don't forget to click "Accept" directly below his answer to resolve this post so it's easier to find when searched by other users. Thanks!

Patrick

0 Karma

MuS
Legend

Hi flie,

as given in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sendemail you can send emails to multiple recipients like this:

Example 1: Send search results in table format with the subject "myresults".

... | sendemail to="elvis@splunk.com,john@splunk.com" format=raw subject=myresults server=mail.splunk.com sendresults=true

Based on your provided search example, you should add some eval before the sendemail command so its concatenating all found mail values. Take a look at this run everywhere command:

index=_internal | stats values(source) AS mySource | eval otherList=mvjoin(mySource, ", ") | table source, mySource, otherList

otherList would be your to= field for the sendemail command.
So this un-tested search should work:

search <something> 
| ldapfilter domain=domainname search="(sAMAccountName=$user$)" attrs="DisplayName,title,givenName,sn,mail"
| eventstats values(to) AS myTo | eval to=mvjoin(myTo, ", ")
| sendemail server=localhost subject="Mail subject" message="Hallo $result.givenName$, 
Some mail text"

Adapt it to your needs if it's not working right from the start.

cheers, MuS

flle
Path Finder

Hi MuS,

sorry for the long delay in accepting the answer. It was the right approach with the following search I got it working the way I wanted:

search ... | ldapfilter domain=mydomain search="(sAMAccountName=$user$)" attrs="DisplayName,givenName,mail"
| eval firstName=givenName | eval mail=mail | eval fullName=DisplayName 
| eventstats values(mail) AS mail_adresses| eval recipients=mvjoin(mail_adresses, ",") 
| table eventTime, field1, firstName, fullName, mail, recipients  
|sendemail to="mailbox@example.net" bcc=$result.recipients$ from="sender@example.net" footer="My Mail Footer" server=localhost subject="Some Subject" message="Hallo $result.firstName$,
some text"

the evals to explicitly (re)assign the queried ldap attributes to field names are necessary as for some reason those fields are "special" in some way. They show up in a table but when sendmail is used in the search then the fields are empty.

kollachandra
Path Finder

I don't want to show up the recipients list in the alert. I am not able to use the recipients fields without using it in the table command. If I use it in the table command and display the recipients in the alert then it is working. Please advise.

0 Karma

kmcarrol
Path Finder

Fantastic suggestion. I hear that a much more complicated solution is possible via Python scripting and that will likely meet my needs much more closely since we don't want, and in some cases CAN'T, share the results for all users with all users. However, this will at least give me an option to present to my business partners in the meantime. Thanks!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...