- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to change the table fields being se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to change the table fields being sent with the sendemail command?
Hello,
I'm trying to find a way to use search result fields to address an e-mail, but remove those fields in the inline table in the body of the e-mail.
Here is an example of the search results:
Field_1, Field_2, Contact
Value_F1_1, Value_F2_2, contact@domain.com
Value_F1_2, Value_F2_3, contact@domain.com
Value_F1_3, Value_F2_2, contact@domain.com
The send e-mail command I am using needs the Contact field to determine who to send the e-mail to:
... |sendemail to=$result.Contact$ subject=subject sendresults=true format=table
As you can imagine, the inline table in the e-mail contains the Contact field as well. What I'd like to know is whether there is some way to remove the field from the inline table sent in the e-mail.
Thank you and best regards,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You might have got the result i am replying so that it can help others
as you are using sendemail command and you need Contact field do the following
...|rename Contact as _Contact |sendemail to=$result._Contact$ subject=subject sendresults=true format=table
while sending mail splunk will ignore _Contatct field as it has underscore(_)
Hope this helps
Happy Splunking 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@andrewtrobec, what is the query that fetches the results above? Also how many rows do you expect in results?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an index that has those values already, so it would be
index=my_index | table Field_1 Field_2 Contact
There are filters in place that will make sure that Contact will be the same for every event. There will be between 2 and 25/30 results. I want to be able to send an e-mail to Contact, but configure the body so that the Contact field doesn't appear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this,
... | fields Contact |sendemail to=$result.Contact$ subject=subject sendresults=true format=table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. This suggestion does the opposite of what I'm looking for: it sends an e-mail to the address and the e-mail content is just the contact column. I'd like to send an e-mail to the address, but have the inline table contain everything but the contact field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
... | fields - Contact |sendemail to=$result.Contact$ subject=subject sendresults=true format=table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've also tried this, but it removes the field so there is nothing to pass to the sendmail command. Thanks for trying!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
