Hi All,
I have created an alert that looks for instances with no proper tags . The search in alert will return instance name and instance owner. On scheduled time, email notification is getting sent to all owners with the csv file attached.
I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email notification is getting sent successfully to all users in $result.email_address$ but is getting sent separately. I want all of the users to be in to field , so that one email will be sent.
Please let me know how we are achieving this ?
Regards,
PNV
It's not up to Splunk. It's up to the email infrastructure. In the end email to many recipients ends as many single emails in each of the recipient's mailbox. So i'm not quite sure what you want to achieve here.
Hi
can you clarify what you are meaning with this?
I am using action.email.to=$result.email_address$ (dynamic email address returned from search). Through this, the email notification is getting sent successfully to all users in $result.email_address$ but is getting sent separately. I want all of the users to be in to field , so that one email will be sent.
If I understood correctly you can send email to those users but "it's not sent like you want"?
r. Ismo
@isoutamo :Yes it is not getting sent like I want.
I want all the emails recipients to be in "to" field with my email-id in Cc. There are around 100 email address returned from search. If emails are sent separately, then by inbox will be bombarded with 100 emails This makes me difficult to follow up as well.
So, I want to send one email . This is my requirement.
Regards,
PNV
@isoutamo No sir, its not about duplicates.
z
Let me be more clear then.
Example : Below is my example result from alert search.
Instance Name | Owner | Tags |
i-test1 | Test1@gmail.com | Incorrect |
i-test2 | Test2@gmail.com | Missing |
i-test3 | Test3@gmail.com | Missing |
Now I have to send email to these three users with all of them in "to" field.
How I am setting email address ? using $result.Owner$. This is getting all three emails returned from result and alert notification is getting sent. But it is getting sent as three separate emails.
One email to Test1@gmail.com,
Another separate email to Test2@ge.com
Third separate email to Test3@gmail.com
For all of these three emails , admin@gmail.com is in CC.
This is just an example with 3 users. But like this there are 100 owners and different instances. Sending separate emails to all 100 users with admin@gmail.com will burden emailbox of admin@gmail.com and also follow up will be difficult.
So, I have to send one email notification with all test1@gmail.com, test2@gmail.com and test3@gmail.com in "to" field and admin@gmail.com in Cc. This just sends one email with all owners in to field.
I want to achieve this using action.email.to. This is my whole requirement. Please help me
Regards,
PNV
The sendemail.py script responsible for sending the emails just creates a single session and sends a single email to your configured SMTP server. The SMTP server is then responsible for sending the email away.
Anyway, if your emails are sent to three separate addresses on gmail, how do they land in admin's mailbox? You didn't mention anything about specifying a Cc: address in your sendemail command.
@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com".
action.email.to=$result.owner$
action.email.Cc=admin@gmail.com
So, you mean sendemail.py script doesnot have capability to send one email to different users with all of them in to fields ? We cannot do that ?
Regards,
PNV
Check in splunkd.log in your _internal index how is sendemail.py called.
as @PickleRick said this is how email works. As you have there 3 separate email even account admin@foo.bar will be as cc on all of those. There is no way how you can separate those into three separate emails with to-recipients and then merge those again into one for cc-recipient.
If you want that this works like you want, then you must change your process and handle this someway different way. Could you e.g. separate alert for two part: one for to recipients and second one for cc recipients? Unfortunately I'm afraid that this generates some other issues to you 😞
@isoutamo Yes sir. If my requirement cannot be met through sendemail.py script then I have to look for other way , like through some other tools I can handle this.
This is my actual requirement. It should be as below :
action.email.to=$result.owner$ - all users from result here
action.email.cc=$admin@foo.bar$
I think then I cannot make this happen through alert capability in splunk then.
Note : gmail.com is just for example purpose here. This will be different in actual case, aligns with my org.
Regards,
PNV
If you are sending exactly same email to all recipients then you probably could use e.g. *stats command to combine all recipients to mv-field and then transfer that to for a,b,….