Discover the Power of SendResults: A Life-Changing Splunk Command and Alert Action

Are you tired of hardcoding email addresses into your searches and alerts? Do you want a more dynamic way to send search results to individuals based on the data within your search results? Look no further than SendResults, a powerful Splunk command and alert action developed by Discovered Intelligence.

SendResults allows you to send your tabulated search results to individuals dynamically based on the data within the results. This means that you no longer need to hardcode an email into the search but can evaluate the email addresses from the search result. With its wide range of use cases, Sendresults can transform the way you use Splunk for security, operations and more.

Example Use Cases

One of the benefits of Sendresults is its versatility. There are many different use cases where it can be useful, including:

  • Security: Send results to individuals who are locked out of their accounts with instructions on how to reset their password or get their account unlocked. You can also send results to individuals or incident responders about identified security incidents relevant to them specifically.
  • Operations: Send results to internal business customers with a report on their Splunk license usage for a given period. You can also send results of high severity issues to one person and send results of lower severity issues to the whole team. Alternatively, send results to one person but include the whole team when the severity is high.

How SendResults is Different:

If you’re familiar with the email action or sendemail command in Splunk, you might be wondering how Sendresults is different. The key difference is that Sendresults allows for more dynamic evaluation of the email address(es) to send results to. With Sendresults, you can evaluate who to send results to, the email subject, email body, and the email footer, all based on the results of the search itself. Additionally, Sendresults allows you to send the relevant search results as a CSV attachment to an email address, as well as Bcc’ing additional email addresses if necessary.

How to Use Sendresults:

We can use Sendresults in a search or as an alert action. There must be a field named email_to within the results that are being passed into Sendresults. Ideally, the data should be formatted in tabular format. The value of the email_to field will be used to group the results together. The value of this field must be a valid email address or a comma-separated list of email addresses. If email_subj, email_body or email_footer fields are also present in the results, the first value of those fields for each email_to will set the corresponding field in the email. Also, if you enter the sendcsv value to true, we can send the results for each email as a CSV attachment.

Use Case Example:

Here I am trying to send the web access search results with a method of “POST” to one email address and search results with a method of “GET” to another using SendResults. I am also attaching the result as a CSV attachment file to the email.

Sendresults search query in splunk

In the above screenshot, I am doing a stats count of events by method field for Splunk internal logs with sourcetype splunk_web_access. I am using both email_to and email_subj fields in this search, the email_subj field is used to customise the email subject according to its method. I am also exploring the new features, that is setting field order for the email and attaching the search result as a CSV file to the email.

Below shows the emails that were received for each method to appropriate email addresses provided.

  • The email for search results with the method of “GET” goes with subject ‘GET Requests’ to an email address provided.
Sendresults GET request
  • The email for search results with the method “POST” goes with subject ‘POST Requests’ to an email address provided.
Sendresults POST requests in Splunk
  • For all-other Method goes with “All Other Requests” as the subject of the email.
Sendresults all other requests

Conclusion

Sendresults is an immensely powerful Splunk command and alert action that allows for more dynamic evaluation of who to send search results to, making it easier to send relevant search results to specific individuals. With its many features and easy-to-use interface, Sendresults is a must-have tool for anyone looking to streamline their Splunk searches and alerts. So, what are you waiting for? Download Sendresults today from Splunkbase and see how it can change your Splunk experience!


Looking to expedite your success with Sendresults? Click here to view our Splunk Professional Service offerings.

© Discovered Intelligence Inc., 2023. Unauthorised use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.