I want to get more than 10000 results and after reading some answers about the limits in the email and I realized that if I bump from 10000 to 500000 results I will have a huge file that I will not be able to send by email. So I started to attack this.
My first thought was to directly send with a custom alert action. A ptyhon script that emails the results_file through as is easy accessible by the results_file payload but this gives me raw results that I will have to parse (how?). The other alternative is to modify the default email script for my specific app. Any advice ?
Is strange that the default email action only sends plain csv files and not give the option of compressing it.
I finally created my own app with a script that reads the results_file, cleans the metadata columns, creates a gzip and attaches it to an email. The recipients can be configured with a defined user interface:
I finally created my own app with a script that reads the results_file, cleans the metadata columns, creates a gzip and attaches it to an email. The recipients can be configured with a defined user interface:
You will have to build your own modular alert
to do this. It would be REALLY easy and make a fine project for an intern. I checked and I could not find anything on SplunkBase to do this, but maybe you search better than I do.
It is very easy to run a splunk search from the CLI. Just login to CLI on your search head, and do this:
$SPLUNK_HOME/bin/splunk "your search here" > YourFileHere
tar czvf YourFileHere.tgz ./YourFileHere
YourCommandHereToSendEmail
You can put this in a script and then cron
it.
That would be super easy for me that I have rights to access with the splunk cli but the user, who defines the search in the ui and wants to get the results doesn't.
I'm not sure about exact answer but there's another nice app on splunkbase, it might help you. you can export splunk data to google spreadsheet and create alert..
Google Import/Export
https://splunkbase.splunk.com/app/2630/
This app involves lookups and if I add a lookup with a 500000 results the bundle size would be affected, but thanks