Hi experts
I have one search where I am extracting username from a Windows event and using a static lookup table to extract the email_id
of that username. Now I have to pass this field email_id
as a token to the sendemail
command or in an alert. If it is possible, please let me know the solution.
eventtype="wineventlog_windows" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="4720" Type="*" source="WinEventLog:Security" sourcetype="WinEventLog:Security" | lookup mail username as src_user output emailid as email_id | sendemail to="$result.email_id$" server=mycompanymailserver
The search above is what I'm trying to do. I am capturing an event 4720 on a Windows server. I'm extracting email_id
from a lookup table and that email_id
has the email address. Now I want to pass this email_id
to my alert settings so alerts should go to the value mentioned in email_id
.
Yes it is possible.
From results, you use the " result.token " to access the
first value of a specified field in search results.
This token is available from the following contexts:
Alert actions
Scheduled reports
Token Description
$result.fieldname$
Returns the first value for the specified field name from the first
result in the search. The field name must be present in the
search.
see this:
docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Setupalertactions