- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Modifying usernames and sending emails to them whe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I am fairly new to Splunk, and I’m having problems creating a rule that when a user login, sends an email to that user.
The users are logging in using RSA VPN, so the Cisco_ASA_user field does not have @company.com.
Some Users also have different profiles when they login, for example, jon.doe may have the following user IDs:
1)jon.doe-ad
2)jon.doe-office
3-jon.doe-dev
The email address of jon.doe is jon.doe@company.com. The email syntax in general is username@company.com.
I managed to use this to remove the -* part: eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")
So, now the Cisco_ASA_user field shows the username without any extensions.
The next step is to add @company.com to the Cisco_ASA_user and this the part that I don’t know how to do and how to send emails when there is a match.
This is how the query looks like so far:
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039 | eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")
Any ideas of how to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @arsalanj,
To append @company to Cisco_ASA_user field please add ."@company.com" at the end of the eval command.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")."@company.com"
However, to send the email to that particular user it will be a bit tricky.
From the search above you can create an alert and add action to the alert -> send email. Now it depends from the amount of users that you have in Splunk environment. If there are only several of them you can create separate alert for each user. In other case you can give a try with tokens in a "To:" field. I am not sure if a token $Cisco_ASA_user$ will be working as I have never tried such thing before.
Here you can find a list of tokens which can be used for sure:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/EmailNotificationTokens
EDIT:
I only copy/paste a final solution achieved by @arsalanj to have everything in the accepted answer.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com"
| iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time
| table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user
| sendresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...
If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:
... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
| fields - Email_Address
| sendemail
sendresults=true inline=true
server=\"Your.Value.Here\"
from=\"Your.Value.Here\"
to=\"$emailToHeader$\"
subject=\"Your Subject here: \$name\$\"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The map search =" should be map search=" (wihtout the extra space).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, @Woodcock,
I finally managed to make it work and this is how I did it:
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com" | iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time |table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user | sendresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @arsalanj,
To append @company to Cisco_ASA_user field please add ."@company.com" at the end of the eval command.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")."@company.com"
However, to send the email to that particular user it will be a bit tricky.
From the search above you can create an alert and add action to the alert -> send email. Now it depends from the amount of users that you have in Splunk environment. If there are only several of them you can create separate alert for each user. In other case you can give a try with tokens in a "To:" field. I am not sure if a token $Cisco_ASA_user$ will be working as I have never tried such thing before.
Here you can find a list of tokens which can be used for sure:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/EmailNotificationTokens
EDIT:
I only copy/paste a final solution achieved by @arsalanj to have everything in the accepted answer.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com"
| iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time
| table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user
| sendresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @n0str0m08
The ".company.com" part worked perfectly.
They are hundreds of users, so creating separate alert actions won't efficient.
Thank you for that resource too, I saw it before, but I had the problem of modifying that field.
Now that I can extract the user field thanks to you I can try different tokens to see how it works.
I wish I could just add $Cisco_ASA_User$ as a recipient in the alert section, but I don't think it will be that easy!
I'll keep updating this case.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
