I execute a search and, from the search results, if the host contains hostA, I want to send email to groupA. If it contains hostB then I want to send an email to hostB. Sometimes the search results can contain both hostA and hostB in which case I want to send email to both groupA and groupB.
I am making one assumption:
1. In the second condition you have provided, your host values are comma delimited (when they both come together).
Going by this assumption, I suggest you use a lookup
to prepopulate the email ids based on host names and then call another splunk command sendemail
. Here is a sample one:
| makeresults
| eval host="a,b"
| makemv host delim=","
| mvexpand host| lookup emaillist host as HOST OUTPUT email as EMAIL| sendemail to=EMAIL
Here even if your host value is only a or only b, it should still work. Lookup helps you managing the email ids without touching the query. However, you can also put some if-else logic in the query to get this done. But that may require changes in query, even if you want to update any spelling.
Let me know if this helps.