Hello,
I'm trying to find a way to use search result fields to address an e-mail, but remove those fields in the inline table in the body of the e-mail.
Here is an example of the search results:
Field_1, Field_2, Contact
Value_F1_1, Value_F2_2, contact@domain.com
Value_F1_2, Value_F2_3, contact@domain.com
Value_F1_3, Value_F2_2, contact@domain.com
The send e-mail command I am using needs the Contact field to determine who to send the e-mail to:
... |sendemail to=$result.Contact$ subject=subject sendresults=true format=table
As you can imagine, the inline table in the e-mail contains the Contact field as well. What I'd like to know is whether there is some way to remove the field from the inline table sent in the e-mail.
Thank you and best regards,
Andrew
Hi,
You might have got the result i am replying so that it can help others
as you are using sendemail command and you need Contact field do the following
...|rename Contact as _Contact |sendemail to=$result._Contact$ subject=subject sendresults=true format=table
while sending mail splunk will ignore _Contatct field as it has underscore(_)
Hope this helps
Happy Splunking 🙂
@andrewtrobec, what is the query that fetches the results above? Also how many rows do you expect in results?
I have an index that has those values already, so it would be
index=my_index | table Field_1 Field_2 Contact
There are filters in place that will make sure that Contact
will be the same for every event. There will be between 2 and 25/30 results. I want to be able to send an e-mail to Contact
, but configure the body so that the Contact field doesn't appear.
try this,
... | fields Contact |sendemail to=$result.Contact$ subject=subject sendresults=true format=table
Thanks for the reply. This suggestion does the opposite of what I'm looking for: it sends an e-mail to the address and the e-mail content is just the contact column. I'd like to send an e-mail to the address, but have the inline table contain everything but the contact field.
... | fields - Contact |sendemail to=$result.Contact$ subject=subject sendresults=true format=table
I've also tried this, but it removes the field so there is nothing to pass to the sendmail
command. Thanks for trying!