Reporting

Sendemail to recipient from a field

Matthias_BY
Communicator

Hello,

is it possible with Splunk V6 to dynamically mail an alert based on a field which contains the mail addy?

i have a lookup list where i can show the owner of IP's or Host Systems. And i want that if an error/outage happens the system owner will be notified via mail.

i want to avoid to develop an python script and use this with script execution within alerts or scheduled reports.

Thanks a lot
Matthias

Tags (2)
0 Karma
1 Solution

Matthias_BY
Communicator

This feature is planed to be included in Splunk Version 6.1

View solution in original post

0 Karma

jluste
Path Finder

I tried the above idea and the search runs, but I see no email. If i manually put an email it works.

| rest splunk_server=local /services/search/jobs
| eval diskUsageMB=diskUsage/1024/1024
| rename eai:acl.owner as user
| lookup ldap_user user_name as user OUTPUT email as email
| stats sum(diskUsageMB) as totalDiskUsage values(email) AS address by user
| sort -totalDiskUsage | where totalDiskUsage > 400
| sendemail [
| rest splunk_server=local /services/search/jobs
| eval diskUsageMB=diskUsage/1024/1024
| rename eai:acl.owner as user
| lookup ldap_user user_name as user OUTPUT email as email
| stats sum(diskUsageMB) as totalDiskUsage values(email) AS to by user
| where totalDiskUsage > 300
| fields to]
subject="WARNING: Space on Splunk disk" sendresults=t

jluste
Path Finder

This worked for 1 person.
To make work for all emails, add this in the subsearch before the | fields to] <\code>

stats values(to) AS to | nomv to | rex mode=sed field=to "s/ /,/g" <\code>

0 Karma

rthakalapally1
Explorer

10 Months after had to do again in another situation, eventually its been a period knew we could do it, came back here and your example search helped to get me back on-track quickly . Successfully sent emails to many addresses.
And here it is a Thank You for the follow up comments.

0 Karma

rthakalapally1
Explorer

Actual search | sendemail [Frame a search to give result as to=the_desired_address from field] subject=desired sendresults=true
get the email field, use eval function to make the subsearch yeild the result as to=email_address

This is working for me in 6.0.2.

syx093
Communicator

I tried that and it did not work. Does this only work for 6.0.2 because I have 6.2.2.

0 Karma

Matthias_BY
Communicator

This feature is planed to be included in Splunk Version 6.1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...