Sendresults Command for Splunk

sendresults is an immensely powerful, life-changing Splunk command developed by Discovered Intelligence, that allows you to send tabulated search results to individuals dynamically, based upon the data within the results. This means that you no longer need to hardcode an email into the search, but can evaluate the email addresses instead.

Click here to download from the Splunk App store.

Example Use Cases

The Use Cases for this command are wide and far reaching. Here are some examples of where this command might be useful:

Security

  • sendresults to individuals who are locked out of their accounts with instructions on how to reset their password or get their account unlocked.
  • sendresults to individuals or incident responders about identified security incidents relevant to them specifically

Operations

  • sendresults to internal business customers with a report on their Splunk license usage for a given period of time
  • sendresults of high severity to one person and send results of a lower severity to the whole team. Alternatively, sendresults to one person but include the whole team, when the severity is high.
How is this different to the sendemail command?

Quite different and a lot more dynamic. The sendemail command allows a user to send the results of a search to an email address hardcoded into the search string. The problem here is that you have to state the email address(es) upfront within the search and all of the results go to the specified email address(es). However, using our sendresults command, you can dynamically evaluate the email from the individual results and send some results to one individual and other results to other individuals.

Key Features

We have worked hard to ensure this command is not only simple to use, but also contains awesome functionality. Here are the key features of the command:

  • Dynamically evaluate who to send results to, based upon the results of the search itself
  • Send only relevant search results to an individual
  • A simple command – no scripting or coding required
  • Uses the built in email configuration of Splunk
  • Customise the email subject and body
  • Parse inline CSS to customise the look of the tabulated results
  • Specify a limit on the amount of results sent
  • Email group, comma separated or individual email addresses
  • It’s totally free! (Although, if you are looking for Splunk Services click here).
Syntax

sendresults [subject=<string>] [body=<string>] [maxrcpts=<int>] [msgstyle=<string>] [showemail=<boolean>]

Required Arguments

None, but there must be a field named email_to within the results and ideally data should be formatted in tabular format. This email_to field can be evaluated based upon the data within the results. The value of this field must be a valid email address or a comma separated list of email addresses.

Optional Arguments

subject
Syntax: subject=<string>
Description: The subject of the email – requires quotes. Defaults to “Splunk Alert!”. The same subject is used for all emails sent.

body
Syntax: body=<string>
Description:  The body of the email – requires quotes. Defaults to “You are receiving this e-mail because a set of sensitive events detected by a splunk search contained your e-mail as the responsible party. Auto-generated results compilation follows:”

maxrcpts
Syntax: maxrcpts=<int>
Description: Allows a limit to be provided that controls how many emails get sent out. This is to prevent an oversight that might result in a lot more people being emailed than imagined. Defaults to 200.

msgstyle
Syntax: msgstyle=<string>
Description: Allows inline CSS to be parsed to style the email going out to individuals – requires quotes. Defaults to “table {font-family:Arial;font-size:12px;border: 1px solid black;padding:3px}th {background-color:#4F81BD;color:#fff;border-left: solid 1px #e9e9e9} td {border:solid 1px #e9e9e9}”

showemail
Syntax: showemail=<boolean>
Description: Allows the email column of the results to be hidden in the emails that are sent out. Accepted values are t or f; representing true or false respectively. Defaults to true (i.e. showemail=t).

Examples

Example 1: Send web access search results with a method of “POST” to one email address and search results with a method of “GET” to another.
…| eval email_to=case(method==”GET”,”email_1@discoveredintelligence.ca”, method==”POST”, “email_2@discoveredintelligence.ca”)
| sendresults subject=”Splunk Internal Results” body=”Here are the internal Splunk results for you to review” msgstyle=”table {font-family:Arial;font-size:12px;border: 1px solid black;padding:3px}th {background-color:#AAAAAA;color:#fff;border-left: solid 1px #e9e9e9} td {border:solid 1px #e9e9e9}”

Example 2: Build the email address to send to from the user_id field in the results.
…| eval email_to=user_id.”@discoveredintelligence.ca” | sendresults

Example 3: Take the current email address and append a hardcoded CC address to the dynamic email address.
…| eval email_to=email.”,my_cc_email@discoveredintelligence.ca” | sendresults

Example 4: Specify a limit of 500 rather than the default of 200 and choose not to display the email column in the emails being sent out.
…| sendresults maxrcpts=500 showemail=f

Example 5: Bring in a lookup containing values X and Y depending on the result, then send results containing an X to one email and results containing a Y to another.
…| lookup field1 AS field1 OUTPUT xyfield AS xyfield | eval email_to=case(xyfield==”X”,”email_1@discoveredintelligence.ca”, xyfield==”Y”,”email_2@discoveredintelligence.ca”) | sendresults

Command Logging

Of course, this being Splunk, we have to include some logging for completeness! The sendresults command has a dedicated log file for your viewing and indexing pleasure. The location of the log file is SPLUNK_HOME/var/log/sendresults.log and it contains error logs, in addition to informational messages about how many results were sent out and to whom they were sent to.

Troubleshooting

I get tons of fields in my emails, but only want to see a few
– You should declare the fields you want to see through the use of commands like | fields, | table or | stats.

I see a lot of _fields in the email results, but I do not want to see these
– You can use something like | fields – _* to remove these fields and stop them being inserted into the email results. Bear in mind you might want to see the _time field, so you could | rename this field to time or similar, then do | fields – _* to eliminate the other underscored fields.

I don’t want to see the email field in my results
– Use the showemail=f argument when crafting the search

 

Click here to download from the Splunk App store.

For support, feedback, questions, concerns – feel free to contact us: support<AT>discoveredintelligence.ca

Looking to expedite your success with Splunk? Click here to view our Splunk service offerings.

© Discovered Intelligence Inc., 2014. Do More with your Big Data™. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.