Basic search is:
host="*" | stats count(linecount) as count by host,sysadmin| where count > 1000000 | sort -count | sendemail to=recipient@domain.com format=html sendresults=true subject=search_results
Ok ... this works. Essentially any host that has sent more than a million messages to splunk will be captured in the search ... The sysadmin owner of that host is a field obtained by a working lookup ...
So, in the case of this search reporting two hosts:
host1 sysadmin1 2000000
host2 sysadmin2 1700000
host3 sysadmin1 1500000
I'd like to somehow be able to grab those results and send only the search output relevant to sysadmin1 to sysadmin1 and the same for sysadmin2.
subject="noisy syslog volume for hosts owned by $sysadmin$" ( just a guess as to altering the subject line on a per recipient basis ) ...
So, how to iterate between unique sysadmins and send the results relevant to each individually.
Thanks very much
You could write a small python script for that and define it as a custom search command. I don't think splunk can do this out of the box without specifying one search per sysadmin.
Just as a follow up to those who might be looking for an answer like this. I originally did it like this, using a bash script to take the results of my scheduled search and parse the results and feed it back into a command line splunk search (ie ./bin/splunk search "blah").
I found that I can save the hassle by 1) making a custom copy of the sendemail command and making my own command to make it a customer facing prettier email 2) using the "map" command to search using stats count by and feeding the "by" fields into almost the same search using map command.
sourcetype=blah | join type=outer host [ |inputlookup email_lookup.csv | fields from, to, host ] | stats count by from, to, host | map search="search ourcetype=blah | join type=outer host [ |inputlookup email_lookup.csv ] | search to=\"$to$\" from=\"$from$\" host=\"$host$\" | sendemailpretty from=\"$from$\" to=\"$to$\" subject=\"Email\" server=mailserver sendresults=true inline=true format=html"
Note: please escape the internal quotes of the map search=" " using backslash quote .
Hope this helps others out.
You could write a small python script for that and define it as a custom search command. I don't think splunk can do this out of the box without specifying one search per sysadmin.
If you survive Perl you'll make do with Python as well 🙂
PS: If your script turns out well you should consider publishing it as an add-on on splunkbase.
Thanks very much for your reply. I ended up writing a simple shell script, placed it in $SPLUNK_HOME/bin/scripts and it calls a perl script and passes it the $8 variable out of the splunk search. That does the trick. ( don't know python well enough to do the same ). 😎