Splunk Search

How to create a token from a field (email_id) and pass the token to the sendemail command in an inline search?

jitendrasingh12
Explorer

Hi experts

I have one search where I am extracting username from a Windows event and using a static lookup table to extract the email_id of that username. Now I have to pass this field email_id as a token to the sendemail command or in an alert. If it is possible, please let me know the solution.

0 Karma

jitendrasingh12
Explorer
eventtype="wineventlog_windows" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="4720" Type="*" source="WinEventLog:Security" sourcetype="WinEventLog:Security" | lookup mail username as src_user output emailid as email_id | sendemail to="$result.email_id$" server=mycompanymailserver

The search above is what I'm trying to do. I am capturing an event 4720 on a Windows server. I'm extracting email_id from a lookup table and that email_id has the email address. Now I want to pass this email_id to my alert settings so alerts should go to the value mentioned in email_id.

0 Karma

stephane_cyrill
Builder

Yes it is possible.

From results, you use the " result.token " to access the
first value of a specified field in search results.
This token is available from the following contexts:

Alert actions
Scheduled reports
Token Description

$result.fieldname$
Returns the first value for the specified field name from the first
result in the search. The field name must be present in the
search.

see this:

docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...