Splunk Search

How to send individual emails that appear in the search results

pavaninpdl
New Member

Hi team,

I have search results with CUID is the email(I will append my company domain to CUID, so that mail will go to person) and attached the sample result for the same .How to send the individual emails for all the users along with server name.

I have used send mail command , but it is sending only one mail to the user appear in the first result. I need to send mail to all the users that appears in the list.

alt text
Please help me on this.

Tags (1)
0 Karma

woodcock
Esteemed Legend

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]
0 Karma

sirajnp
Path Finder

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can use the map command along with the sendemail command, like this

your current search with all the fields mentioned in the screenshot
| map maxsearch=1000 search="| gentimes start=-1 | eval HOSTNM=\"$HOSTNM$\" |..other fields | sendmail to=\"$CUID$\" ..."
0 Karma

pradeepkumarg
Influencer
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...