SENDRESULTS Command In Splunk

SENDRESULTS Command In Splunk

Hello Everyone,
In our previous blog, we had talked about SENDING MULTIPLE ALERTS BASED UPON MULTIPLE CONDITIONS USING ONE ALERT IN SPLUNK. Hope all of you had enjoyed that blog. So today we have come with a new topic related to the above-mentioned blog that is SENDRESULTS command in Splunk.
To use the SENDRESULTS command we have to install an Add-On called Sendresults in Search Head. So we have already installed the Add-On on the Search Head as you can see below.

1

Also, you can download the Add-On from the below link.
https://splunkbase.splunk.com/app/1794/

After installing this Add-On you will able to use a command called SENDRESULTS.
SENDRESULTS is a powerfull SPL command which allows you to send the results to individual persons dynamically via email based upon the results.
Key Features :
Dynamically evaluate who to send results to, the email subject, and the email body, based upon the results of the search itself
– Send only relevant search results to an individual
– A simple command and alert action
– no scripting or coding required
– Uses the built-in email configuration of Splunk
– Parse inline CSS to customize the look of the tabulated results
– Specify a limit on the outgoing results
– Email group, comma-separated or individual email addresses

Syntax :

| sendresults [subject=<string>] [body=<string>] [maxrcpts=<int>] [msgstyle=<string>] [showemail=<boolean>]

Require Arguments :
There must be a field called email_to in your result. Data in this field must be in tabular format. Also, the values within this field must be a valid email address or a comma-separated list of valid email addresses.
Optional Arguments :
subject
This is for setting up a custom subject of the email. Also, you have to put the values in between double-quotes.
Defaults to “Splunk Alert!”.

body
This is for setting up a custom body of the email. Also, you have to put the values in between double-quotes.
Defaults to “You are receiving this e-mail because a set of sensitive events detected by a Splunk search contained your e-mail as the responsible party. Auto-generated results compilation follows:”

maxrcpts
It limits the number of emails get sent out.
Defaults to 200.

msgstyle
Allows inline CSS to be parsed to style the email going out to individuals. Also, you have to put the values in between double-quotes.
Defaults to “table {font-family:Arial;font-size:12px;border: 1px solid black;padding:3px}th {background-color:#4F81BD;color:#fff;border-left: solid 1px #e9e9e9} td {border:solid 1px #e9e9e9}”

showemail
showemail=t|f
It allows the email column of the results to be hidden in the emails that were sent to the recipients.
Defaults to true (i.e. showemail=t).

Difference between sendmail and sendresults command.
Compared to the sendmail command, sendresults command is a little bit different and more dynamic. In the sendmail command, you have to hardcode the email addresses of the recipients into the search string. But the problem is that results will go to that particular email address(es) which you had specified in the query. In the case of sendresults command, email address(es) can be dynamically evaluated from the results. So for this, some results can be sent to an individual and other results can be sent to the other individuals.

Example 1:
We have written a sample query. See the below query.

| makeresults 
| eval a="200,maityayan1996@gmail.com/300,elktraining2018@gmail.com/400,bubaimaity00000@gmail.com" , a=split(a,"/") 
| mvexpand a 
| table a 
| makemv delim="," a 
| eval status=mvindex(a,0) , email_to=mvindex(a,1) 
| fields - a | sendresults
2

So the emails will be sent to the individual recipients based upon the condition.
See the screen-shots given below. Here in the each and every email, you can see the email addresses related to their results.
Because here all the defaults parameters will be applied. See the above mentioned Optional Arguments section.

4
3
5

Example 2:
We have written another sample query. See the below query.

| makeresults 
| eval a="200,maityayan1996@gmail.com/300,elktraining2018@gmail.com/400,bubaimaity00000@gmail.com" , a=split(a,"/") 
| mvexpand a 
| table a 
| makemv delim="," a 
| eval status=mvindex(a,0) , email_to=mvindex(a,1) 
| fields - a | sendresults showemail=f subject="Multi Alert Triggered" body="You are getting this alert for Http Status Error" maxrcpts="10"
6

So the emails will be sent to the individual recipients based upon the condition.
See the screen-shots given below. Here we have given showemail=f means the email addresses will be hidden in the email. We have given a subject called “Multi Alert Triggered” so it will be the subject of the email. Also, we have given a body called “You are getting this alert for Http Status Error” . Also, the email will be sent to the first 10 recipients as we have given maxrcpts=10.

7
8
9


Log Monitoring :
The beauty of this command is you can see the logs related to this command are stored in the Splunk in the below path.

$SPLUNK_HOME/var/log/sendresults.log
So you can monitor to report related to this command very easily also you can get the error logs for troubleshooting.

10


Not only error logs, but you also can track the recipient’s information, messages also how many emails an individual recipient has received.

11

Hope you have enjoyed this blog.
Happy Splunking!!!

Advertisements

2 comments

  1. Hi i m getting this error while executing sendresults command .Plz help.

    command=”sendresults”, Error : Traceback: Traceback (most recent call last): File “C:\Program Files\Splunk\etc\apps\sendresults\bin\sendresults.py”, line 261, in sendemail(recipient, recipient_list[recipient].get(’email_subj’) , outbound, argvals) File “C:\Program Files\Splunk\etc\apps\sendresults\bin\sendresults.py”, line 106, in sendemail smtp = smtplib.SMTP(server) File “C:\Program Files\Splunk\Python-2.7\Lib\smtplib.py”, line 256, in __init__ (code, msg) = self.connect(host, port) File “C:\Program Files\Splunk\Python-2.7\Lib\smtplib.py”, line 317, in connect self.sock = self._get_socket(host, port, self.timeout) File “C:\Program Files\Splunk\Python-2.7\Lib\smtplib.py”, line 292, in _get_socket return socket.create_connection((host, port), timeout) File “C:\Program Files\Splunk\Python-2.7\Lib\socket.py”, line 575, in create_connection raise err error: [Errno 10013] An attempt was made to access a socket in a way forbidden by its access permissions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.