Hi There,
I'd like to send mails to the people from my search table, the table looks like below:
No. username Site
1 a A
2 b B
I tried to use command but it sent mail to the top user in the table instead of all them.
| eval recipients=mvjoin(username, ";") | nomv recipients | sendemail from=xxx to=$result.recipients$
I searched mvexpand, mvcombine, but no luck, would you share your suggestion please?
Thank you!
Hey,
You could add this to your query:
| stats values(username) as recipients
You would then get a single multi value field called recipients, which can then be combined into a single string using mvjoin -iirc, addresses must be separated by ,
.
Hope that helps 🙂
How's this?
(your search)
|stats values(username) as username
|eval recipients=mvjoin(username, ";")
|sendemail from=xxx to=recipients
Hey,
You could add this to your query:
| stats values(username) as recipients
You would then get a single multi value field called recipients, which can then be combined into a single string using mvjoin -iirc, addresses must be separated by ,
.
Hope that helps 🙂
Thanks xpac, it should be working, I remove the sendemail part to the test first, looks good.
But by adding | stats values(username) as recipients, the table will be changed as well.
Is there a way to keep below search result which I need to put it into the mail body?
No. username Site
1 a A
2 b B
You could try this instead, but I haven't tested it:
| eventstats values(username) as _recipients
| eval _recipients=mvjoin(_recipients, ",")
| sendemail to=$result._recipients$
The _
in front of the field name should make it invisible,but still available... Try that 🙂
Thanks xpac, it works well!!!
I will setup an alert or report using this search query. However it will be a little different as what I setup it in the alert trigger threshold that if the result is over 1, Splunk will send mail out.
By using this way, looks like Splunk will send out even the result is 0, but I will try to figure that out.
missed some comments that if the vaules are comined, then I can send mail to them in one mail, in the to list, it is "a;b"
@garujoey you should create a query with usernames and use map
command iterate through users and send email to each one of them.
Here is an older answer for your reference: https://answers.splunk.com/answers/412019/why-are-empty-emails-being-sent-using-map-sendemai.html
Be aware that this makes Splunk send one mail per user, which might cause considerable overhead. Sending a single mail with multiple recipients might be more efficient.
Yes, I am going to only send one mail with multiple recipients to avoid too much duplicated mails.
:)
True... username can be a email Distribution Group
then.