Splunk Search

How to create a Report that send emails row by row, with the contents in columns?

DS904458
Engager

Hi all,

I'm not a English native speaker, but I will do my best to explain ther question.

To be clear, I need done this in "Report". So that means I can't use a saved job as in Dashboard.
So I need done this in a single search, I guess.

 

I did some previous search, and get a result table like this below table:

Test_ProjectTest_SiteFailed_Test_ItemsTest_Admin_Email
Notebook_XXAItem_1
Item_5
Item_7
dog@mail.com, cat@mail.com, bird@mail.com 
Mobile_DDAItem_1
Item_2
dog@mail.com
Notebook_XXBItem_3cat@mail.com
Mobile_DDBItem_6
Item_7
bird@mail.com, cat@mail.com 


Faild_Test_Items is a multi-value  column.
Test_Admin_Email is a single-string column.

Anyway, I need send email about the testing result row by row.
For example, send this to 3 different email address:  dog@mail.com, cat@mail.com, bird@mail.com

Test_ProjectTest_SiteFailed_Test_Items
Notebook_XXAItem_1
Item_5
Item_7

 

And send this to two email address: bird@mail.com, cat@mail.com 

Test_ProjectTest_SiteFailed_Test_Items
Mobile_DDBItem_6
Item_7


Every row will represent different email.
So in this case, I will send 4 emails.
And it need to be done by Report, because I need schedule it.

Please help me in a simple way, maybe use some simple examples.
I am still a Splunk noob.

Labels (4)
0 Karma
1 Solution

VatsalJagani
Champion

@DS904458 - You can extend your search with sendemail command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Sendemail )

<your search>
| map search="| sendemail to=$Test_Admin_Email$ subject=\"some subject\" message=\"Test_Project=$Test_Project$, Test_Site=$Test_Site$, Failed_Test_Items=$Failed_Test_Items$\" "

Please read here about the map command as it has some limitations on how many results it can process. - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map 

 

I hope this helps!!!

View solution in original post

VatsalJagani
Champion

@DS904458 - You can extend your search with sendemail command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Sendemail )

<your search>
| map search="| sendemail to=$Test_Admin_Email$ subject=\"some subject\" message=\"Test_Project=$Test_Project$, Test_Site=$Test_Site$, Failed_Test_Items=$Failed_Test_Items$\" "

Please read here about the map command as it has some limitations on how many results it can process. - https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Map 

 

I hope this helps!!!

PickleRick
Ultra Champion

It ain't that easy. Especially because of the need to handle multivalued fields (multiple recipients) properly. And it's simply a bad idea.

Splunk is not a bulk email solution and you can hit many obstacles like relaying problems. As a rule of thumb, you should not need to use sendmail command at all.

Also the use of the map command however "formally correct" is not the advised way to do things if you can avoid it - it spawns a separate search for every single row of results of the main search.

0 Karma

DS904458
Engager

Any chance I could send the result row by row with a table structure like this? (including header, and box)

Test_ProjectTest_SiteFailed_Test_Items
Mobile_DDBItem_6
Item_7
0 Karma

VatsalJagani
Champion

@DS904458 - Not possible unless you are writing your own alert action to send multiple emails based on results in this format.

 

References:

https://docs.splunk.com/Documentation/Splunk/8.2.6/AdvancedDev/ModAlertsIntro

https://docs.splunk.com/Documentation/AddonBuilder/4.1.0/UserGuide/CreateAlertActions 

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...