Reporting

email "To" list from search results

rv6abob
Engager

Any way to make a scheduled searches "To" list be a result field from a search?

Tags (2)
0 Karma

Lowell
Super Champion

I tried some other "tricks" but nothing seemed acceptable. I'm fairly confident you could do something like this using map. Something like:

 <email lookup search> | stats values(email) as to | eval to=mvjoin(to, ",") | map search=" <the real search> | sendemail to=\"$to$\""`

But that gets pretty ugly really quick (especially if you have many double quotes), and there are other limitations too.

I think the only real answer is to make your own email sending search command that can be told to use some sort of field substitution within the "to" field. Which admittedly would be nice and I could that that being helpful for other fields too, like the subject line.

If you want to go down that road, be sure to check out the existing sendemail search command. You can find the existing code here: $SPLUNK_HOME/etc/apps/search/bin/sendemail.py It's probably a better idea to copy this instead of modifying the existing one since it will be overwritten by any splunk upgrades.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...