All Apps and Add-ons

sendresults Command: How can I send the entire set of results as a group email vs inidividual emails

AkritiParida
Engager

I have created an alert that generates a report in a tabular form and sends the rows of results to individuals dynamically based on the value in a particular field. However, I also need the entire set of results to be sent to a group irrespective of the result set. When I hardcode the group in the cc mail as per the information on splunk base , the entire result set doesn't get sent to the cc'ed group in a single email instead it is sent to the group as individual emails containing the result set for different individuals. Is it possible to send a single email containing the entire result set to a group while dynamically sending respective rows of results to individual recipients at the same time?
My search looks like this
|pivot ....| eval email_to='user_id'."@abc.com".",group@xyz.com"| sendresults ...

Also, I noticed that if for one user id there are multiple rows of results ,say 3, then 3 result sets get sent to the individual in a single email so i was wondering why the same is not happening with the cc'ed group as it is specified as the recipient for all the rows of result sets.

Tags (2)
0 Karma

ewrober
New Member

I had the same requirement and resolved it this way.
We use the sendresults command inline in the scheduled alert to break out the results to the email_to field.

We then configure the "Trigger Actions" of the alert to email the group that needs the entire list. This sends a single email with all the results and also includes the email_to field.

0 Karma

mockd
Path Finder

Hi,

Thanks for the interest in the sendresults command.

The idea of being able to cc the entire report in addition to the individual emails is a great idea and have added it to our list of enhancements for the command.

For your question about the user with three results, that's the result that I would expect. Sendresults groups the rows to be sent based on the final value of the email_to field when the command is run and the recipients in the email_to field will get those rows. So if some rows have emailA and emailB but some rows only have emailA, then emailA will get two emails. The one that has rows in which the email_to was only emailA and an email with the rows that were emailA and emailB Hopefully that makes sense.

Derek.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...