Alerting

Send email alerts in gz format

dsmc_adv
Path Finder

I want to get more than 10000 results and after reading some answers about the limits in the email and I realized that if I bump from 10000 to 500000 results I will have a huge file that I will not be able to send by email. So I started to attack this.

My first thought was to directly send with a custom alert action. A ptyhon script that emails the results_file through as is easy accessible by the results_file payload but this gives me raw results that I will have to parse (how?). The other alternative is to modify the default email script for my specific app. Any advice ?

Is strange that the default email action only sends plain csv files and not give the option of compressing it.

Tags (3)
0 Karma
1 Solution

dsmc_adv
Path Finder

I finally created my own app with a script that reads the results_file, cleans the metadata columns, creates a gzip and attaches it to an email. The recipients can be configured with a defined user interface:

https://github.com/rmacian/splunk-gzip-alerts

View solution in original post

0 Karma

dsmc_adv
Path Finder

I finally created my own app with a script that reads the results_file, cleans the metadata columns, creates a gzip and attaches it to an email. The recipients can be configured with a defined user interface:

https://github.com/rmacian/splunk-gzip-alerts

0 Karma

woodcock
Esteemed Legend

You will have to build your own modular alert to do this. It would be REALLY easy and make a fine project for an intern. I checked and I could not find anything on SplunkBase to do this, but maybe you search better than I do.

0 Karma

woodcock
Esteemed Legend

It is very easy to run a splunk search from the CLI. Just login to CLI on your search head, and do this:

$SPLUNK_HOME/bin/splunk "your search here" > YourFileHere
tar czvf YourFileHere.tgz ./YourFileHere
YourCommandHereToSendEmail

You can put this in a script and then cron it.

0 Karma

dsmc_adv
Path Finder

That would be super easy for me that I have rights to access with the splunk cli but the user, who defines the search in the ui and wants to get the results doesn't.

0 Karma

burakcinar
Path Finder

I'm not sure about exact answer but there's another nice app on splunkbase, it might help you. you can export splunk data to google spreadsheet and create alert..

Google Import/Export
https://splunkbase.splunk.com/app/2630/

0 Karma

dsmc_adv
Path Finder

This app involves lookups and if I add a lookup with a 500000 results the bundle size would be affected, but thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...