Splunk Search

How to send mail to the user in one mail if the values are combined?

garujoey
Engager

Hi There,

I'd like to send mails to the people from my search table, the table looks like below:

No.  username   Site   
1      a                   A       
2      b                   B

I tried to use command but it sent mail to the top user in the table instead of all them.

| eval recipients=mvjoin(username, ";") | nomv recipients | sendemail from=xxx to=$result.recipients$

I searched mvexpand, mvcombine, but no luck, would you share your suggestion please?
Thank you!

0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

Hey,

You could add this to your query:
| stats values(username) as recipients
You would then get a single multi value field called recipients, which can then be combined into a single string using mvjoin -iirc, addresses must be separated by ,.

Hope that helps 🙂

View solution in original post

HiroshiSatoh
Champion

How's this?

   (your search)
|stats values(username) as username
|eval recipients=mvjoin(username, ";")
|sendemail from=xxx to=recipients
0 Karma

xpac
SplunkTrust
SplunkTrust

Hey,

You could add this to your query:
| stats values(username) as recipients
You would then get a single multi value field called recipients, which can then be combined into a single string using mvjoin -iirc, addresses must be separated by ,.

Hope that helps 🙂

garujoey
Engager

Thanks xpac, it should be working, I remove the sendemail part to the test first, looks good.

But by adding | stats values(username) as recipients, the table will be changed as well.
Is there a way to keep below search result which I need to put it into the mail body?

No. username Site
1 a A
2 b B

0 Karma

xpac
SplunkTrust
SplunkTrust

You could try this instead, but I haven't tested it:

| eventstats values(username) as _recipients
| eval _recipients=mvjoin(_recipients, ",") 
| sendemail to=$result._recipients$

The _ in front of the field name should make it invisible,but still available... Try that 🙂

0 Karma

garujoey
Engager

Thanks xpac, it works well!!!

I will setup an alert or report using this search query. However it will be a little different as what I setup it in the alert trigger threshold that if the result is over 1, Splunk will send mail out.

By using this way, looks like Splunk will send out even the result is 0, but I will try to figure that out.

0 Karma

garujoey
Engager

missed some comments that if the vaules are comined, then I can send mail to them in one mail, in the to list, it is "a;b"

0 Karma

niketn
Legend

@garujoey you should create a query with usernames and use map command iterate through users and send email to each one of them.

Here is an older answer for your reference: https://answers.splunk.com/answers/412019/why-are-empty-emails-being-sent-using-map-sendemai.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

xpac
SplunkTrust
SplunkTrust

Be aware that this makes Splunk send one mail per user, which might cause considerable overhead. Sending a single mail with multiple recipients might be more efficient.

garujoey
Engager

Yes, I am going to only send one mail with multiple recipients to avoid too much duplicated mails.
:)

0 Karma

niketn
Legend

True... username can be a email Distribution Group then.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...