Splunk Search

sendemail. email averrable

gitingua
Communicator

on the output I get the result with users. the username is similar to the name of the mail. how do i call the username variable in the sendemail command 

usernameabcabc1abc2
John123
Smith312
Georgy231


| sendemail to="$username$@gmail.com" sendresults=true subject="Test sub" message="message"

error 
command="sendemail", {u'@gmail.com': (501, '5.1.3 Invalid address')} while sending mail to: @gmail.com

in the output, the variable takes the username, gets everyone's name and sends a message to everyone

And is it possible to make everyone get only their own line of output?

Thanks !!!

0 Karma

PickleRick
Champion

You probably can get around it but I would advise against doing it this way.

Firstly, you can't just use one "| sendemail" do spawn several email sending processes. For that you'd have to do some fancy "| map" thing. Secondly, sending emails to dynamicaly generated addresses... well, that's risky. Are you 100% sure your addresses are all right?

So yes, you can use "| map" to generate a separate sendemail command for each results row but I'd advise you to either write own alert action or give the idea up completely and think of another way to do that.

0 Karma

gitingua
Communicator

@PickleRick Yes. I'm sure the names are the same as the email address. how to write an application correctly. write please?
I tried to write "| eval email = $username$."@gmail.com"" the address comes out almost, but the command "| sendemail to = $email$" does not accept for some reason

0 Karma

PickleRick
Champion

As I said earlier - if you just pipe results of a search to a sendemail command, you'll just issue one command for the whole set of results. I suppose it's not what you want. You want to launch separate sendemail for each row of result set.

That's what map command is for. If you're really sure you know what you're doing, use that command to spawn |sendemail for each row of your result set but that's a very ugly idea. Especially if you have many rows in your result set.

0 Karma

gitingua
Communicator

@PickleRick OK. I heard you. but you can somehow pass the created variable "email". to the "to" part of the "sendemail" command? without sending the result? something like this | sendemail to=$email$ message="Test messages to users". ? It does not see "$email$" in this format

0 Karma

PickleRick
Champion

Have you checked how the map command works? Templating parameters is its core functionality. Oh, and in your case you'd probably not want to send all results, just create a predefined (possibly templated) email contents.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!