Solved: How to run a scheduled reports but only if the sea...

stakor · ‎04-17-2017

I am looking to run a scheduled report, but I would like to only receive an email if the search powering the report has found something.

Can one accomplish such a thing?

If you are looking for people who visit test[.]com, and in the last week (Duration of the search), no one has gone there, then there should be no email. If someone has gone to test[.]com in the last week, then it should list their name, and send an email.

I don't know if conditional sending is available in Splunk or not.

jonmargulies · ‎04-17-2017

Change it to an alert. An alert in Splunk is basically just a report but with conditionals like the one you're talking about. One of the simplest ways to set an alert is to only email if the number of results is >0.

View solution in original post

jonmargulies · ‎04-17-2017

Change it to an alert. An alert in Splunk is basically just a report but with conditionals like the one you're talking about. One of the simplest ways to set an alert is to only email if the number of results is >0.

How to run a scheduled reports but only if the search contains results?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?