https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-reports-pdf-output-from-a-single-search/m-p/400549#M116053 <P>hi folks, we got a requirement to create xx number of reports based on a filter. <BR /> For example the lookup file has filter of team</P> <PRE><CODE>TeamName,sourcetype Windows,windows:* Unix,syslog Oracle,oracle* </CODE></PRE> <P>We have a single search to grab the data , but based on the lookup, I need to xx reports based on TeamName Split the PDF/report within the result. So while sending, it needs to be in xx reports (3 in above case). <CODE>Windows.pdf, unix.pdf, Oracle.pdf</CODE> and so on</P> <P>Is it possible to do? Or do we need xx number of searches to do this? (please note, our requirement is about 70 such groups which makes it 70 individual searches otherwise)</P> Sat, 06 Apr 2019 20:39:31 GMT koshyk 2019-04-06T20:39:31Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-reports-pdf-output-from-a-single-search/m-p/400549#M116053 <P>hi folks, we got a requirement to create xx number of reports based on a filter. <BR /> For example the lookup file has filter of team</P> <PRE><CODE>TeamName,sourcetype Windows,windows:* Unix,syslog Oracle,oracle* </CODE></PRE> <P>We have a single search to grab the data , but based on the lookup, I need to xx reports based on TeamName Split the PDF/report within the result. So while sending, it needs to be in xx reports (3 in above case). <CODE>Windows.pdf, unix.pdf, Oracle.pdf</CODE> and so on</P> <P>Is it possible to do? Or do we need xx number of searches to do this? (please note, our requirement is about 70 such groups which makes it 70 individual searches otherwise)</P> Sat, 06 Apr 2019 20:39:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-reports-pdf-output-from-a-single-search/m-p/400549#M116053 koshyk 2019-04-06T20:39:31Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-reports-pdf-output-from-a-single-search/m-p/400550#M116054 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/221196">@koshyk</a> can you try the following</P> <PRE><CODE>| inputlookup team_data.csv | map maxsearches=100 search="| tstats count where index=_internal AND sourcetype IN ("$sourcetype$") by sourcetype | eval emailFieldForTest=\"$email$\" | sendemail to=\"$email$\" format=\"html\" server=smtp.abc.com:123 use_tls=1 subject=\"Alert for $TeamName$\" message=\"This is an alert for $TeamName$\" sendpdf=true" </CODE></PRE> <P>The search query returns result only sourcetype for specific team at a time. The <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sendemail" target="_blank">sendemail</A> command uses <CODE>$email$</CODE> passed through <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map" target="_blank">map</A> command.</P> <P>PS: You can remove sendemail command to test whether <CODE>emailFieldForTest</CODE> is being populated with correct email or not. When you get this to working you can get rid of <CODE>emailFieldForTest</CODE> field.</P> <P>Team data for above example is based on Splunk's _internal index which prepares the lookup similar to yours for <CODE>splunkd, access and mongodb</CODE> sourcetypes in Splunk's <CODE>_internal</CODE> index.</P> <PRE><CODE>| makeresults | fields - _time | eval data="splunkd,splunkd,splunkd_support@somewhere.com;access,*access*,access_support@somewhere.com;mongodb,mongodb,mongodb_support@somewhere.com" | makemv data delim=";" | mvexpand data | makemv data delim="," | eval TeamName=mvindex(data,0),sourcetype=mvindex(data,1),email=mvindex(data,2) | table TeamName sourcetype email | outputlookup team_data.csv </CODE></PRE> Tue, 29 Sep 2020 23:58:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-reports-pdf-output-from-a-single-search/m-p/400550#M116054 niketn 2020-09-29T23:58:32Z https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-reports-pdf-output-from-a-single-search/m-p/400551#M116055 <P>thank you mate. I've got the idea. will accept it.</P> Sun, 07 Apr 2019 16:24:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-multiple-reports-pdf-output-from-a-single-search/m-p/400551#M116055 koshyk 2019-04-07T16:24:43Z