All Apps and Add-ons

How to dynamically set the subject field in sendresults command app ?

nibinabr
Communicator

Is there a way to set the subject field in the sendresults command app dynamically ?

I'm looking for something like the following:

index=myindex | eval email_to="abc@splunk.com" |eval new_subject="Index is ".index | sendresults showemail=f subject=new_subject body="Body of the email" showemail=f

What happens in the above scenario is that the subject of the email will be the string "new_subject" instead of its value. I need the subject to be "index is myindex".

Any thoughts ??

Tags (3)
0 Karma
1 Solution

mockd
Path Finder

Hi!

Thank you for your interest in the sendresults command.

At this time the sendresults command does not support what you are looking to do. As you probably saw, the command is expecting a string in the subject parameter and not the value as passed in from another field.

We are looking to update the command soon and this would be a great new feature to add into the next release.

View solution in original post

chandrasekharko
Path Finder

Actually, with the newer version of sendresults app, which is 4.0, the table column headers aren't in a constant pattern for the alert every-time. 1 time it shows in 1 order, some other time the column names are in another order.

alt text

alt text

0 Karma

mockd
Path Finder

Hi, thanks for raising the issue. Can you email support@discoveredintelligence.ca and we can look into this issue a bit deeper.

Thanks.

0 Karma

gjanders
SplunkTrust
SplunkTrust

FYI may be worth creating a new question for the next question around this, I only bumped this old question to advise it was now possible to use a dynamic subject!

0 Karma

gjanders
SplunkTrust
SplunkTrust

Updating this old post to advise

email_subj and email_body are now a supported field as of sendresults 4.0

chandrasekharko
Path Finder

I am getting the following error with the new version.
command="sendresults", Error : All results must contain a field named email_to with the intended recipient.

I am not what I am missing in the query.
index=mtr source="mine" level=ERROR
| sort - _time
| eval Time = strftime(_time, "%m/%d/%y %I:%M:%S %p")
| eventstats count as TOTAL_COUNT
| eval criticality = case(TOTAL_COUNT > 100, "Critical", TOTAL_COUNT >= 50, "Warning", 1==1, "Info")
| eval email_to=case(
match(criticality,"Critical"), "chandra.kolla@xyz.com",
match(criticality,"Warning"), "abcd@gmail.com",
match(criticality,"Info"), "chandra.kolla@qwerty.com")
| eval email_subj=case(
match(criticality,"Critical"),"Critical Severity Errors",
match(criticality,"Warning"),"High Severity Errors",
match(criticality,"Info"),"Info Severity Errors")
| table Time,level,serviceName,requestId,ipAddress,logger,message,email
| sendresults

0 Karma

mockd
Path Finder

Hi,

Are you including all the necessary field in your table command that the sendresults command requires? From your example it looks like the email_to and email_subj are not.

0 Karma

chandrasekharko
Path Finder

I am sorry. It makes sense now. I got it.

0 Karma

chandrasekharko
Path Finder

Actually, the table column headers aren't in a constant pattern for the alert every-time. 1 time it shows in 1 order, some other time the column names are in another order.

0 Karma

chandrasekharko
Path Finder

Yes I think.

| eval email_to=case(
match(criticality,"Critical"), "chandra.kolla@xyz.com",
match(criticality,"Warning"), "abcd@gmail.com",
match(criticality,"Info"), "chandra.kolla@qwerty.com")
| eval email_subj=case(
match(criticality,"Critical"),"Critical Severity Errors",
match(criticality,"Warning"),"High Severity Errors",
match(criticality,"Info"),"Info Severity Errors")

0 Karma

Ravan
Path Finder

Its not a direct approach , but splunk map command comes very handy in these cases. For example in the below scenario i want to change the mail subject / email details by each host name. So i will write the logic on the main search and pass unique host and subject fields to map search.

This will send the mail results with pre-defined email id / subject by each host you have. You can alter the mail search logic as it suits your requirement.

index=myindex | dedup host|eval new_subject=(if(host=abc),"abc",none) .....etc logic|eval mail_id=If(host=abc,"abc@splunk.com",none).....etc logic | table host new_subject mail_id |map search=" search index=myindex  host=$host$ | table _time user action other-fields ..... |eval email_to=$mail_id$ |sendresults showemail=f subject=$new_subject$ body="Body of the email"
0 Karma

mockd
Path Finder

Hi!

Thank you for your interest in the sendresults command.

At this time the sendresults command does not support what you are looking to do. As you probably saw, the command is expecting a string in the subject parameter and not the value as passed in from another field.

We are looking to update the command soon and this would be a great new feature to add into the next release.

nibinabr
Communicator

Good to know. Even though I didn't do a deep dive into the code, this comment[1] actually made me think that if there is a field called subject in the events returned, it will be set as the subject of the email.

[1] https://github.com/DiscoveredIntelligence/sendresults/blob/master/bin/sendresults.py#l73

tomjones101
Explorer

Hi mockd, Any idea when the next version will be released? Dynamic subject and body would be a bug win here.

0 Karma

chandrasekharko
Path Finder

Any update on this one. I have been trying to send the alert with the dynamic subject. Any help is appreciated.

0 Karma

mockd
Path Finder

Hi, if you reach out to us on the support address listed on the details section of the Splunkbase page for Sendresults, I can send you a beta version we finally have ready to be tested.

0 Karma

mockd
Path Finder

That sounds like a good idea. Thanks!

0 Karma

chimell
Motivator

Hi nibinabr
Don't you want to use sendemail command ?
If using sendmail command will satisfy you tell me

0 Karma

nibinabr
Communicator

Sure sendemail is an option. I was under the assumption that sendemail cannot take variables as their email subject etc and that was the reason I was trying out sendresults. How do I acheive this using sendemail ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...