Splunk Enterprise

How to LogEvent action for an alert as well as send out email dynamically to all the resultant email id's using |map()?

vickycoder27
Explorer

I have an alert that creates a table and has emailed, user id, endpoint, count in the result which is used with |map() & |send() function to dynamically generate the emails.


I also needed this metadata information to check which user I had sent out emails so I had Action ->Log Event, but the problem is Log Event will happen only if the final result is a table but breaks if its |map().


Action->Send email works for only static emails.
How do I achieve this to Log Event + use map() to send out emails dynamically?

Labels (3)
0 Karma

woodcock
Esteemed Legend

Like this:

Your search here
| appendpipe [ map search=[sendemail stuff here | where true() == false() ]]
0 Karma

jaime_ramirez
Communicator

Have you tried this app?:

https://splunkbase.splunk.com/app/1794/

It can send alerts to dynamically genrated emails based on previous search results.

Hope it helps!!!

0 Karma

vickycoder27
Explorer

P.S. I can send email dynamically, thats not the issue but the problem is using the Action "Log Event" along with it. If you have any idea how to achieve that at the same time, for now I am using send mail for each result and that seems to be bailing me out but still wanted to resolve this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...