Splunk Search

Why are users getting "No results found" in the email they receive from running a map search with the sendemail command?

kalianov
Path Finder

Hi all,

my search | stats count(filename) AS files, sum(size) AS TotalMb by user| sort -TotalMb | eval email=user."@mydomai.com" 
| table user, files, TotalMb, email | head 2 

Result is:

user1,   123,    506, user1@mydomai.com
user2,   234,    26,   user2@mydomai.com

I need to send each row for each of user from search result:

 fitst string to user1@mydomai.com
 second string to user2@mydomai.com

I am using:

my search | stats count(filename) AS files, sum(size) AS TotalMb by user| sort -TotalMb | eval email=user."@mydomai.com" 
| table user, files, TotalMb, email | head 2 
| map search="sendemail to=$email$ from=splunk@mydomain.com subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST""

Result is emailed for each user with "No results found". Why are users not receiving emails with the results of the search?

Please help

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The map command is used to executed a search (map subsearch) for each result of the base search. Here for each row of base search (those two rows with user1 and user2), the map subsearch (string witing quotes) is "sendemail to=$email$ from=splunk@mydomain.com subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST", which is not a valid full search and thus the no result found.

Try something like this

my search | stats count(filename) AS files, sum(size) AS TotalMb by user| sort -TotalMb | eval email=user."@mydomai.com" 
 | table user, files, TotalMb, email | map search="|gentimes start=-1 | eval user="$user$" | eval files=$files$ | eval TotalMb=$TotalMb$ |  sendemail to=$email$ from=splunk@mydomain.com subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST""

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Skip the entire map approach. Ground rule: map is never the answer, there are very very few exceptions.

Instead, configure your alert to send to $result.email$ and to act per event instead of per result. Then you will automagically get two emails.
Requires 6.1 or something similarly old, by now.

somesoni2
SplunkTrust
SplunkTrust

The map command is used to executed a search (map subsearch) for each result of the base search. Here for each row of base search (those two rows with user1 and user2), the map subsearch (string witing quotes) is "sendemail to=$email$ from=splunk@mydomain.com subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST", which is not a valid full search and thus the no result found.

Try something like this

my search | stats count(filename) AS files, sum(size) AS TotalMb by user| sort -TotalMb | eval email=user."@mydomai.com" 
 | table user, files, TotalMb, email | map search="|gentimes start=-1 | eval user="$user$" | eval files=$files$ | eval TotalMb=$TotalMb$ |  sendemail to=$email$ from=splunk@mydomain.com subject="Big files" sendresults=true inline=true priority=normal server="mail.server" message="TEST""
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...