Re: Can I use a lookup table of email addresses th...

Cyril31200 · ‎08-29-2017

Hello,

Could you please tell me if it is possible to provide an email distribution list from a lookup table to a Splunk Alert which send email ?
In other words, could I used search results (lookup table) to provide a list of email adresse to an Alert ?

Thanks by advance,

Cyril

woodcock · ‎09-23-2017

You can't do it in the alert but you can do it in the SPL. See my (admitted-to-work yet somehow still unaccepted) answer in this Q&A:

https://answers.splunk.com/answers/401081/how-to-use-the-sendemail-command-to-send-an-email.html

It says basically this (you just need to integrate your extra lookup into the solution):

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]

woodcock · ‎06-28-2018

@Cyril31200 if this worked for you, please click Accept to close the question and make it easier for others to find valid solutions.

Can I use a lookup table of email addresses that receive an alert?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?