- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- not sendemail if "Results not found"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sendemail if "Results not found"
Hi. I'm trying to selectively send emails (using sendemail); if the output of the query is "No results found" or "No results", I don't want to send emails.
here's my cli command:
splunk search "|savedsearch hello|sendemail to=admin@example.com from=server@example.com sendresults=true format=html inline=true subject=splunk_log"
hello is a generic query returning nothing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do it like this:
... | rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:"
| rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error."
| rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that."
| eval valueForToHeader=if(isnotnull(someFieldNameInYourResults), "YourGoodEmailGoesHere@YourCompany.com", null())
| sendemail
to=$result.valueForToHeader$
graceful=true
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The caveat of this is that the email address must exist in the resultset, otherwise it assumes it's null. This means all your emails will have the field "valueForToHeader" at the end of all the columns. Could be worse, but could be much better.
If, in the case that you don't want to email if there are no results, you don't even need to put in an if statement. If there are no events, there can be no event where you can eval a value to a field -- therefore it will still try to send as null.
Tested the following scenarios:
| makeresults | eval to_address="test_address@company.com" | sendemail to=$result.to_address$ subject="Test Email"
This works
| makeresults | eval to_address="test_address@company.com" | table _time | sendemail to=$result.to_address$ subject="Test Email"
This does not work (null to address)
| makeresults | eval to_address="test_address@company.com", temp="something" | search temp="somethingelse" | sendemail to=$result.to_address$ subject="Test Email"
This does not work (null to address)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dirty way to do it, but effective!
Also a good way to email users who do bad things...
| eval to=case(_raw!="","whoz-at-who.com") | sendemail to=$result.to$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having the same issue. Is there a way when using the sendemail command to only send email if there are results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you execute the search (result of which you want to email) manually on adhoc basis?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
