I have a search that uses the values in temp.csv file to generate an email for each row with specific values.
Let's say the csv looks like this
john doe, blah
bob smith, stuff
The search looks like this (quotes within the subsearch are escaped, just not showing here):
| inputlookup temp.csv | map search="| sendemail to=$field2$ subject=\"subject line\" firstname.lastname@example.org message=\"test test $field1$ test test \""
My problem is that when the field value (field1 in the search above) contains a space it stops populating the email after the space and sends it as is. It doesn't seem to have an issue with spaces in text specified at search time.
I should have opened a new question but thought this is quite related. Hence adding to the thread.
I am trying to do something similar but the challenge I am seeing that everytime the message is going as literal text string and doesn't look very nicely formatted.
Query is :
index=abc | table line1 line2 EmailID subject
| map search="
|sendemail server=test.server email@example.com to=$EmailID$ subject=$subject$" message=$freetext$
This query goes into a loop for all individual rows and send an email to respective/individual EmailIDs having freetext printed as :
However I am expecting to send the data in this format:
Any idea? Indeed Line 2 is a URL.
sorry guys... I found the solution by my own. To my strange the same solution did not work back in older splunk version and worked fine in 6.2.
It is just we need to escape the line out using shift+ enter while creating the message string
As a workaround you could probably do:
| inputlookup temp.csv | replace " " with "_" in field1 | map search="| sendemail to=$field2$ subject="subject line" firstname.lastname@example.org message="test test $field1$ test test ""
Hi karabsze, I had this email from Splunk Support back on March 4th.
Just an update on the issue.
We have fixed the issue of handling variable name with quoted values inside the quotes. This will be included in the next maintance release, 6.1.8, scheduled in the 2nd half of May.
Thank you for your patience on the matter, much appreciated and feel free to ask should you have any more questions on this.
I got around the original problem by just using the first name so never tested to see if the issue remained post-6.1.8. Hope that helps.