Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you send an email alert based on search results?

AKG1_old1
Builder
‎03-03-2019 04:30 AM

Hi,

I am using a saved search and looking to send an email alert to multiple recipients based on search results (with results in the message body).

Based on referring similar posts, I came up with this query, but the issue is I am not getting any results in the email body, and also, this will send multiple mails to the same user(same email may configured in multiple lines). I'm looking for consolidation of results based on email address.

Query:

<basesearch>| table  Time  Context+Command Elapsed  EMAIL  |map search="| sendemail to=$EMAIL$ format=table sendresults=true inline=true"

OR

If I can consolidate all configured emails and send the full list for results to all recipients as CC, that will work too.

I don't know if this works.

 | eventstats list(EMAIL) as EMAIL

Related post used for reference:

https://answers.splunk.com/answers/401081/how-to-use-the-sendemail-command-to-send-an-email.html

https://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/Emailnotification#Send_email_to_different_r...

thanks

Preview file
1 KB
Reply

sirajnp
Path Finder
‎06-30-2021 12:27 AM

It's pretty simple, don't even need to use map command. Just enable send email alert action and in to: field set $result.email$ (email - depend upon your field name in Splunk result) and select trigger "for each result". Email will be send to the respective email address for each line of result.

https://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification#Send_email_to_different_r...

Reply

gjanders
SplunkTrust
SplunkTrust
‎03-03-2019 02:28 PM

Refer to the SplunkBase app sendresults that is probably a better match for this use case.
If you refer to the details tab it allows you to customise the email_to among other variables such as the body of the email based on your search results (by using eval statements)

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-03-2019 06:50 AM

Are you wanting to send an email based off the results of a different search or the inline search with thesendemail command?

If the former, it would go like this

1) Create a conditional search
2) If this alert fires, then it triggers an alert action which dispatches another search
3) The search that was dispatched will have the sendemail command

0 Karma
Reply

AKG1_old1
Builder
‎03-03-2019 01:11 PM

Thanks for reply. I am using only 1 search and it produce list of results and each row have email value as described in attachement. There could be many different email address. I have two option here

1) Either send email for each row but in this case multiple email will be sent if same email specified in multiple rows. unless there is some way to consolidate results for each email address.

2) create a list of all email address and send full results to all of them.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...