Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search based on search results using command 'sendemail'?

gl_splunkuser
Path Finder
‎06-22-2020 05:09 PM

Hello, I am using Splunk enterprise 7.3.5.

I would like to send an email, using the command sendemail, but I would like to create it based on a search result, so I am trying:

 

eventtype = myeventype | table message_subject, sender_address |sendemail sendresults=true inline=true from=$sender_address$ subject=$message_subject$ to=myemail

 

Where

message_subject and sender_address, are fields of the search. 

But when I received the email, looks like- (see the attached image)

Basically, the parameters are not working, I received the email without any of those parameters set.

 

email_bySplunk.PNG

How can I fix that?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎06-22-2020 09:37 PM

SendResults

Would likely be a good fit...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

gl_splunkuser
Path Finder
‎06-23-2020 09:22 AM

Sendresults as I read don't have the feature to set parameters in the value - sender: The sender (from) address of the emails - requires quotes. Defaults to Splunk SMTP sender setting. The same sender is used for all emails sent and not customizable on a per-email basis. - 

And I need to set that value as a parameter.

 

Thanks for your help. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎06-23-2020 10:46 PM

Quoting the details page of sendresults app from SplunkBase:

"The Search Command version of Sendresults supports the following syntax and optional arguments:

sendresults [sender=string] [subject=string] [body=string] [footer=string] [maxrcpts=int] [msgstyle=string] [format_columns=string] [bcc=string] [showresults=boolean] [showemail=boolean] [showsubj=boolean] [showbody=boolean] [showfooter=boolean]

sender: The sender (from) address of the emails - requires quotes. Defaults to Splunk SMTP sender setting. The same sender is used for all emails sent and not customizable on a per-email basis."

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

gl_splunkuser
Path Finder
‎06-23-2020 11:49 AM

I used the app sendresults, works pretty well, but I modify the sendresults.py to have the capability to use the sender as a parameter.

Code:

sender = event['sender']

And sent it as a parameter of sendemail function. 

Thanks for the suggestion @gjanders 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...