Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send specific set of data to specific recipient?

ASISH_9
Engager
‎06-19-2017 05:22 AM

Hello,
I have a set of data in the following manner.

Domain Application TicketId Hours Recipient
HR abb 123rrr 121 h1@gmail.com
HR hhg 145rew 100 h1@gmail.com
Hi aby 123rrt 120 h2@gmail.com
Hi hhu 145rty 109 h2@gmail.com
Hl abo 123rhg 127 h3@gmail.com
Hl hhi 145rll 105 h3@gmail.com
Hl abp 123rkh 123 h3@gmail.com
Tm hhp 145rfdf 100 h4@gmail.com

The query which i have written generates this:
"search query|eval recipient=case(Domain=HR,recipient=h1@gmail.com,Domain=Hi,recipient=h2@gmail.com,Domain=Hl,recipient=h3@gmail.com)|"
so that it sends specific data to specific recipients as mail alerts.
Like If domain is HR then all data related to hr should go to h1@gmail.com not the data of remaining domains.
In my mail alerts settings also alert mode="once per search" mode and in the TO filed it is $recipient.result$ , but still mail is not sending specific results to specific recipients.It is sending the whole data

Please suggest what should be done

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2017 08:09 AM

You need to select alert mode as once per result. Be aware that with your current search, it may send duplicate alerts if there are multiple records for each email address. To avoid that you can do like this

your current query generating above output | stats list(*) as * by Recipient

Also, the to field should be $result.recipient$ Is that a typo in your post?

Reply

ASISH_9
Engager
‎06-20-2017 02:32 AM

Thanks this worked
But now the problem is the mail is not sent in a organised format.
like i was expecting:
recipient Domain Application

h1@gmail.com HR abc

HR hhg

rather it came in this way
recipient Domain Application
h1@gmail.com HR HR abc hhg

can we bring the table in first format?

0 Karma
Reply

cmerriman
Super Champion
‎06-19-2017 07:58 AM

try this eval:

|eval recipient=case(Domain="HR","h1@gmail.com",Domain="Hi","h2@gmail.com",Domain="Hl","h3@gmail.com")

and see if that works.
and in the TO field: $result.recipient$

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...