- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to send specific set of data to specific recip...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to send specific set of data to specific recipient?
Hello,
I have a set of data in the following manner.
Domain Application TicketId Hours Recipient
HR abb 123rrr 121 h1@gmail.com
HR hhg 145rew 100 h1@gmail.com
Hi aby 123rrt 120 h2@gmail.com
Hi hhu 145rty 109 h2@gmail.com
Hl abo 123rhg 127 h3@gmail.com
Hl hhi 145rll 105 h3@gmail.com
Hl abp 123rkh 123 h3@gmail.com
Tm hhp 145rfdf 100 h4@gmail.com
The query which i have written generates this:
"search query|eval recipient=case(Domain=HR,recipient=h1@gmail.com,Domain=Hi,recipient=h2@gmail.com,Domain=Hl,recipient=h3@gmail.com)|"
so that it sends specific data to specific recipients as mail alerts.
Like If domain is HR then all data related to hr should go to h1@gmail.com not the data of remaining domains.
In my mail alerts settings also alert mode="once per search" mode and in the TO filed it is $recipient.result$ , but still mail is not sending specific results to specific recipients.It is sending the whole data
Please suggest what should be done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to select alert mode as once per result. Be aware that with your current search, it may send duplicate alerts if there are multiple records for each email address. To avoid that you can do like this
your current query generating above output | stats list(*) as * by Recipient
Also, the to field should be $result.recipient$ Is that a typo in your post?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this worked
But now the problem is the mail is not sent in a organised format.
like i was expecting:
recipient Domain Application
h1@gmail.com HR abc
HR hhg
rather it came in this way
recipient Domain Application
h1@gmail.com HR HR abc hhg
can we bring the table in first format?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this eval:
|eval recipient=case(Domain="HR","h1@gmail.com",Domain="Hi","h2@gmail.com",Domain="Hl","h3@gmail.com")
and see if that works.
and in the TO field: $result.recipient$
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
