Training + Certification Discussions
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you show all search results in an email notification?

pinkyyu
New Member
‎01-03-2019 12:48 AM

I use the below search command with email notification query:

src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path | stats list(file_path) list(time_detected) AS time by src user*

the email content will consist of the below information
Antivirus information:
Date (UTC-0): $$result.time_detected$$
Machine name: $$result.src$$
Username: $$result.user$$
Path: $$result.file_path$$

However, the result of email content will become below:

Antivirus information:
Date (UTC-0):
Machine name: BDDH2591
Username: chsab
Path:

The date and time details are missing.

What can be done?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-03-2019 04:02 AM

@pinkyyu ,

The fields in your last stats command and fields in your email do not match .
Field in email: $$result.time_detected$$ -> field in search time
Filed in email : $$result.file_path$$ -> Field in search list(file_path)

Change the search or change fields in email

e.g.

src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path 
| stats list(file_path) as  file_path,list(time_detected) AS time_detected by src user*
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-03-2019 04:02 AM

@pinkyyu ,

The fields in your last stats command and fields in your email do not match .
Field in email: $$result.time_detected$$ -> field in search time
Filed in email : $$result.file_path$$ -> Field in search list(file_path)

Change the search or change fields in email

e.g.

src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path 
| stats list(file_path) as  file_path,list(time_detected) AS time_detected by src user*
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

pinkyyu
New Member
‎01-03-2019 11:51 PM

but the format of the email notification is not good. any way to make it good?
Antivirus information:
Date (UTC-0): 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM
Machine name: BDDH2591
Username: chsab
Path: D:\100MSDCF.lnk D:\293267_2228137858557_1101133293_32911494_1364880061_n.lnk D:\autorun.lnk D:\Bank CV.lnk D:\Bio-Data of Shumi.lnk D:\Color Songs - .lnk D:\Copy of Shortcut to (1).lnk D:\Copy of Shortcut to (2).lnk D:\Copy of Shortcut to (3).lnk D:\Copy of Shortcut to (4).lnk D:\100MSDCF.lnk D:\293267_2228137858557_1101133293_32911494_1364880061_n.lnk D:\autorun.lnk D:\Bank CV.lnk D:\Bio-Data of Shumi.lnk D:\Color Songs - .lnk D:\DSC_0025.lnk D:\DSC_0027.lnk D:\DSC_0028.lnk D:\DSC_0173.lnk D:\DSC_0174.lnk D:\joined-all.lnk D:\Learn all Forms of Arabic Alphabet Letters (Beginning, Middle & End of a Word).lnk D:\MOA.lnk 😧
asim b day.lnk D:\Phonics Song .lnk D:\Pics.lnk D:\RECYCLER.lnk D:\rrrr.lnk D:\Rujaan b day.lnk D:\Ruma_CV.lnk D:\Saiful.lnk D:\SIVC.lnk D:\The Annoying Orange.lnk D:\Twinkle Twinkle Little Star.lnk D:\videoplayback_11.lnk D:\videoplayback_15.lnk D:\videoplayback_16.lnk

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-04-2019 05:52 PM

you may combine those multivalue field and then expand them to get one event per row. Also select Inline table for the result in email settings

 src=BDDH2591 source="D" earliest=-14d | table time_detected, src, user, file_path 
 | stats list(file_path) as  file_path,list(time_detected) AS time_detected by src user*
 | eval x=mvzip(file_path,time_detected,"#")|table src,user,x
 | mvexpand x|rex field=x "(?<file_path>.+)#(?<time_detected>.+)"|fields - x
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

pinkyyu
New Member
‎01-06-2019 07:36 PM

after testing the modified search, the format in email is the same. All file paths are shown together.

  1. Does it the constraint of the email notification?

Date (UTC-0): 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:45:08 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM 10/27/2018 2:44:10 PM
Machine name: BDDH2591
Username:
Path: D*:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\100MSDCF.lnk D:\COOL.vbs D:\COOL.vbs D:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\100MSDCF.lnk D:\100MSDCF.lnk D:\Copy of Shortcut to (1).lnk D:\COOL.vbs D:\100MSDCF.lnk*

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-06-2019 09:51 PM

How are you getting this in the result from splunk search head? Are these in single filed or multiple rows? And are you sending them in table in email ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

pinkyyu
New Member
‎01-06-2019 10:10 PM

i created a dashboard and use below command with mentioned search command to trigger the email notification via dashboard

|sendemail to="$email$," from="XXX@com>" subject="Information ($case_id$)" message="Dear $name$,
Details:
Date (UTC-0): $$result.time_detected$$
Machine name: $$result.src$$
Username: $$result.user$$
Path: $$result.file_path$$

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...