Hello,
In my search query I've defined the 3 email_subjects and 3 email_addresses with eval to which I want to send an alert based on threshold defined.
e.g if threshold value is =1 then email_subject1 and email_address1 etc.
My output being in table format because of which for availing $result.feildname$ values, I'll have to add email_subject and email_address fields in search result table (definitely not desired) - that being the issue I'm stuck at, same issue I faced with "sendemail" as well.
Is there an alternate way to send email alert via splunk itself (no script)?
There are 2 basic options.
#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:
... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
... $result._feildname$
#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:
... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| stats values(email_recipient) AS email_recipients BY email_subject
| nomv email_recipients
| rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
| map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| search email_subject=\"$email_subject$\"
| fields - email_*
| sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""
There are 2 basic options.
#1: Hide the fields that you are using by making them invisible by prepending them with the underscore ("_") character like this:
... foreach email_* [ rename <<FIELD>> AS _<<FIELD>> ]
... $result._feildname$
#2: Bring the email function into the SPL using the sendemail command and separate the 2 portions of data using the map command to like this:
... | outputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| stats values(email_recipient) AS email_recipients BY email_subject
| nomv email_recipients
| rex field=email_recipients mod=sed "s/[\r\n\s]/,/g"
| map max_searches=10 search="|inputlookup TEMP_FILE_FOR_ALERT_FOO_BAR_BAT_DELETE_ME_AT_ANY_TIME.csv
| search email_subject=\"$email_subject$\"
| fields - email_*
| sendemail to=\"$email_recipients$\" subject=\"$email_subject$\""
The issue here is several commands are built as the search as parsed, sendemail is one of these commands.
There are three ways I have found around this:
Be forewarned the map command is broken in 8.0.2, but is fixed in 8.0.5
Can you share some example?
your question is not clear.