@isoutamo  :Yes it is not getting sent like I want.

I want all the emails recipients to be in "to" field with my email-id in Cc. There are around 100 email address returned from search. If emails are sent separately, then by inbox will be bombarded with 100 emails  This makes me difficult to follow up as well.

So, I want to send one email . This is my requirement.

Regards,
PNV

@isoutamo  No sir, its not about duplicates.
z
Let me be more clear then.

Example : Below is my example result from alert search.

Now I have to send email to these three users with all of them in "to" field.

How I am setting email address ? using $result.Owner$. This is getting all three emails returned from result and alert notification is getting sent. But it is getting sent as three separate emails.
One email to Test1@gmail.com,
Another separate email to Test2@ge.com
Third separate email to Test3@gmail.com
For all of these three emails , admin@gmail.com is in CC. 

This is just an example with 3 users. But like this there are 100 owners and different instances. Sending separate emails to all 100 users with admin@gmail.com will burden emailbox of admin@gmail.com and also follow up will be difficult.

So, I have to send one email notification with all test1@gmail.com, test2@gmail.com and test3@gmail.com in "to" field and admin@gmail.com in Cc.  This just sends one email with all owners in to field.

I want to achieve this using action.email.to.  This is my whole requirement. Please help me

Regards,
PNV

The sendemail.py script responsible for sending the emails just creates a single session and sends a single email to your configured SMTP server. The SMTP server is then responsible for sending the email away.

Anyway, if your emails are sent to three separate addresses on gmail, how do they land in admin's mailbox? You didn't mention anything about specifying a Cc: address in your sendemail command.

@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com".

action.email.to=$result.owner$
action.email.Cc=admin@gmail.com

So, you mean sendemail.py script doesnot have capability to send one email to different users with all of them in to fields ? We cannot do that ?

Regards,
PNV

Check in splunkd.log in your _internal index how is sendemail.py called.

as @PickleRick said this is how email works. As you have there 3 separate email even account admin@foo.bar will be as cc on all of those. There is no way how you can separate those into three separate emails with to-recipients and then merge those again into one for cc-recipient.

If you want that this works like you want, then you must change your process and handle this someway different way. Could you e.g. separate alert for two part: one for to recipients and second one for cc recipients? Unfortunately I'm afraid that this generates some other issues to you 😞

@isoutamo  Yes sir. If my requirement cannot be met through sendemail.py script then I have to look for other way , like through some other tools I can handle this.

This is my actual requirement. It should be as below :

action.email.to=$result.owner$ - all users from result here
action.email.cc=$admin@foo.bar$

I think then I cannot make this happen through alert capability in splunk then.

Note : gmail.com is just for example purpose here. This will be different in actual case, aligns with my org.

Regards,
PNV

If you are sending exactly same email to all recipients then you probably could use e.g. *stats command to combine all recipients to mv-field and then transfer that to for a,b,….