Alerting

Send email alerts in gz format

dsmc_adv
Path Finder

I want to get more than 10000 results and after reading some answers about the limits in the email and I realized that if I bump from 10000 to 500000 results I will have a huge file that I will not be able to send by email. So I started to attack this.

My first thought was to directly send with a custom alert action. A ptyhon script that emails the results_file through as is easy accessible by the results_file payload but this gives me raw results that I will have to parse (how?). The other alternative is to modify the default email script for my specific app. Any advice ?

Is strange that the default email action only sends plain csv files and not give the option of compressing it.

Tags (3)
0 Karma
1 Solution

dsmc_adv
Path Finder

I finally created my own app with a script that reads the results_file, cleans the metadata columns, creates a gzip and attaches it to an email. The recipients can be configured with a defined user interface:

https://github.com/rmacian/splunk-gzip-alerts

View solution in original post

0 Karma

dsmc_adv
Path Finder

I finally created my own app with a script that reads the results_file, cleans the metadata columns, creates a gzip and attaches it to an email. The recipients can be configured with a defined user interface:

https://github.com/rmacian/splunk-gzip-alerts

0 Karma

woodcock
Esteemed Legend

You will have to build your own modular alert to do this. It would be REALLY easy and make a fine project for an intern. I checked and I could not find anything on SplunkBase to do this, but maybe you search better than I do.

0 Karma

woodcock
Esteemed Legend

It is very easy to run a splunk search from the CLI. Just login to CLI on your search head, and do this:

$SPLUNK_HOME/bin/splunk "your search here" > YourFileHere
tar czvf YourFileHere.tgz ./YourFileHere
YourCommandHereToSendEmail

You can put this in a script and then cron it.

0 Karma

dsmc_adv
Path Finder

That would be super easy for me that I have rights to access with the splunk cli but the user, who defines the search in the ui and wants to get the results doesn't.

0 Karma

burakcinar
Path Finder

I'm not sure about exact answer but there's another nice app on splunkbase, it might help you. you can export splunk data to google spreadsheet and create alert..

Google Import/Export
https://splunkbase.splunk.com/app/2630/

0 Karma

dsmc_adv
Path Finder

This app involves lookups and if I add a lookup with a 500000 results the bundle size would be affected, but thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...