- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Sendemail to recipient from a field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
is it possible with Splunk V6 to dynamically mail an alert based on a field which contains the mail addy?
i have a lookup list where i can show the owner of IP's or Host Systems. And i want that if an error/outage happens the system owner will be notified via mail.
i want to avoid to develop an python script and use this with script execution within alerts or scheduled reports.
Thanks a lot
Matthias
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the above idea and the search runs, but I see no email. If i manually put an email it works.
| rest splunk_server=local /services/search/jobs
| eval diskUsageMB=diskUsage/1024/1024
| rename eai:acl.owner as user
| lookup ldap_user user_name as user OUTPUT email as email
| stats sum(diskUsageMB) as totalDiskUsage values(email) AS address by user
| sort -totalDiskUsage | where totalDiskUsage > 400
| sendemail [
| rest splunk_server=local /services/search/jobs
| eval diskUsageMB=diskUsage/1024/1024
| rename eai:acl.owner as user
| lookup ldap_user user_name as user OUTPUT email as email
| stats sum(diskUsageMB) as totalDiskUsage values(email) AS to by user
| where totalDiskUsage > 300
| fields to]
subject="WARNING: Space on Splunk disk" sendresults=t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for 1 person.
To make work for all emails, add this in the subsearch before the | fields to] <\code>
stats values(to) AS to | nomv to | rex mode=sed field=to "s/ /,/g" <\code>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10 Months after had to do again in another situation, eventually its been a period knew we could do it, came back here and your example search helped to get me back on-track quickly . Successfully sent emails to many addresses.
And here it is a Thank You for the follow up comments.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actual search | sendemail [Frame a search to give result as to=the_desired_address from field] subject=desired sendresults=true
get the email field, use eval function to make the subsearch yeild the result as to=email_address
This is working for me in 6.0.2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried that and it did not work. Does this only work for 6.0.2 because I have 6.2.2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This feature is planed to be included in Splunk Version 6.1
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
