Alerting

Looking for a better way to email reports

ShaneNewman
Motivator

I have about 30 saved searches that are running on a periodic basis looking for configuration errors (incorrect characters) in integration files. This give us an enterprise view of: new configs, disabled configs, erroneous configs, ect. This further needs to be broken down into a divisional views (15 each) before being send to the end users, who will make the appropriate changes (if needed) to correct integrations.

I would prefer not to have 450 saved searches running to do this. I capture division information in the search and have email addresses associated with the divisions in a lookup file.

My question then becomes can I do something like:

... | lookup division_email_list division OUTPUT division_email_address | eval action.email.to=division_email_address

I know it will be a bit more involved that that, I just need to be pointed in the right direction.

Thanks in advance for anyone who can assist!

0 Karma
1 Solution

itinney
Path Finder

This should work:

... | lookup division_email_list division OUTPUT division_email_address | sendemail to=division_email_address format="html" server=smtp.gmail.com:587 use_tls=1

Take a look at the python script $SPLUNK_HOME/etc/apps/search/bin/sendemail.py for other keyword arguments you can use with sendemail command.

View solution in original post

grundsch
Communicator

I had a similar use case with PDFs. I finaly wrote a script to generate the saved searches and schedules based on a template and csv of parameters.
http://answers.splunk.com/answers/200640/how-to-schedule-customized-dashboard-views-to-grou.html
Maybe you can hack it to fit your use case.

0 Karma

itinney
Path Finder

This should work:

... | lookup division_email_list division OUTPUT division_email_address | sendemail to=division_email_address format="html" server=smtp.gmail.com:587 use_tls=1

Take a look at the python script $SPLUNK_HOME/etc/apps/search/bin/sendemail.py for other keyword arguments you can use with sendemail command.

ShaneNewman
Motivator

I get an error saying invalid address. Any Ideas?

0 Karma

ShaneNewman
Motivator

Using this function, I would need to remove the portion of my saved search that contains:

action.email = 1
action.email.subject = Removed Integration Configs
action.email.sendresults = 1
action.email.attached = 1
action.email.format = csv

Correct?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...