How to create a token from a field (email_id) and ...

jitendrasingh12 · ‎04-26-2015

Hi experts

I have one search where I am extracting username from a Windows event and using a static lookup table to extract the email_id of that username. Now I have to pass this field email_id as a token to the sendemail command or in an alert. If it is possible, please let me know the solution.

jitendrasingh12 · ‎04-27-2015

eventtype="wineventlog_windows" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="4720" Type="*" source="WinEventLog:Security" sourcetype="WinEventLog:Security" | lookup mail username as src_user output emailid as email_id | sendemail to="$result.email_id$" server=mycompanymailserver

The search above is what I'm trying to do. I am capturing an event 4720 on a Windows server. I'm extracting email_id from a lookup table and that email_id has the email address. Now I want to pass this email_id to my alert settings so alerts should go to the value mentioned in email_id.

stephane_cyrill · ‎04-27-2015

Yes it is possible.

From results, you use the " result.token " to access the
first value of a specified field in search results.
This token is available from the following contexts:

Alert actions
Scheduled reports
Token Description

$result.fieldname$
Returns the first value for the specified field name from the first
result in the search. The field name must be present in the
search.

see this:

docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

How to create a token from a field (email_id) and pass the token to the sendemail command in an inline search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!