Hi, I am trying to send search results to an email address using the sendemail command.
If I "hardcode" the to field in my sendemail command, this works great. However the goal is to send the email to a field value from the search itself..so..
source=reallyBadUsers | Table User, Manager, ManagerEmailAddr | sendemail to=$ManagerEmailAddr$ sendresults=true priority=high subject="This guy is really bad" server=x.x.x.x
Obviously I've learned that $ManagerEmailAddr$ is not going to work.
How can I work around this? The "to" address will be dependent on the ManagerEmailAddr from the search.
Thanks,
Brian
Hi,
I ran into the same problem and here is how I get it to work by referencing the Result tokens part in Splunk's documentation.
<Base search>
| table User, EmailAddress
| sendemail to=$result.EmailAddress$ from="me@example.com" ...
https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens
Hi,
you should go for the "sendresults Command": https://splunkbase.splunk.com/app/1794 (details here: app details)
This app basically configures a custom command that allows you to:
Dynamically evaluate who to send
results to, based upon the results of
the search itself
I used it in the past and it works charmingly..
Hope this helps,
regards
Hi,
I had same issue. The above query did not send email also. Please let me know if you are able to get the solution.
Regards,
Pallavi
Try this
source=reallyBadUsers | Table User, Manager, ManagerEmailAddr | sendemail [source=reallyBadUsers | Table ManagerEmailAddr | mvcombine delim="," ManagerEmailAddr | nomv ManagerEmailAddr | rename ManagerEmailAddr as to] sendresults=true priority=high subject="This guy is really bad"
Hi somesoni2,
From your above example, I got following query which is supposed send an email of the result, if result > 0 to predefined user email. The src_email needs to be dynamically set. But it is sending the email even though there is no result. Please advise how to update it to only sendemail when result > 0. Thanks
earliest=-60m@m index=network comment="Comment"
| dedup local_start_time src_name src_number src_email src_site src_location dest_name dst_number
| table local_start_time src_name src_number src_email src_site src_location dest_name dst_number
| eval from=src_email | sendemail
[ search earliest=-60m@m index=network comment="Comment"
| dedup local_start_time src_name src_number src_email src_site src_location dest_name dst_number
| table src_email
| rename src_email as from] to="mike@company.org" format=table subject="Comment" server=mail.company.org sendresults=true inline=true