All Apps and Add-ons

Splunk App for Windows Infrastructure: Can we schedule reports and send them by email in this app?

kkossery
Communicator

I'm trying to configure the latest version of Splunk App for Windows Infrastructure to send reports by e-mail and I cannot find any way of doing it so far. I also tried saving a search result as an alert and scheduled it, but did not see it working either. To make it worse, I'm unable to find the Alert either. I'm logged in as Admin and I'm making the changes as the Admin user itself.
Question - Can we schedule reports for this app?

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

It sounds like you are saying that sending email isn't working... has it been configured?
Settings>Server Settings>Email Settings.

If you don't see how to set up a saved search (report) to be scheduled to email, here's how it goes.
Run your search. Click "Save as"> Report
Name it... > Click Save
A window pops up and you can change permissions, schedule it, etc... click Schedule...
Follow the form prompts, tell it how often...
Next Screen... choose email.

And if it doesn't work, see the top of my answer. 🙂

If you want to send the results of a search that's part of a panel in a dashboard. Hover over the lower left hand corner of the panel, click on the magnifying glass. That will open the search in the search view... then you can SaveAs...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

kkossery
Communicator

The reports will be under the file $Splunk_home/etc/apps/appname/local/savedsearches.conf
I wasn't able to find it on the front end GUI though

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

You've got a typo there. There is no $SPLUNK_HOME/etc/apps/local folder. It's going to be .../apps/someappname.
When you click SaveAs you enter the name and then there is a second dialog screen that presents you with the option to change Permissions, Schedule it, Accelerate or Embed the report. most of us just click "View" because it's a big green button... but if you chose Permissions, you get another dialog window that lets you choose:
Owner|App|All Apps. It shows you that the current setting is "Owner" because everything you do via the GUI that is not a global act (like building an index) is initially saved as owned by you, and 'private'. now if you do nothing, that search is saved under $SPLUNK_HOME/etc/users/yourusername/appname/local/savedsearches.conf. Usually, when you can't find something, you were probably in the search app... if you look under your users dir... you'll find all the apps where you saved stuff and never changed the permissions to share it out to others.

To find a lost saved search via the GUI...the first place to check is in the search app... Click on Reports in the menu.
you will likely see a giant list as the default view is "ALL". Click "yours". If that isn't where it is... then click on Settings>Searches, reports, alerts. You'll see a list. Change the app context to "all" change the owner to "yourusername" and if there are still lots... there is a search box on the upper right hand corner.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

kkossery
Communicator

Thanks, I corrected it.
I didn't see my reports on the search app. Maybe I should share my Report/Alert Globally/Public. I'll figure this out. Thank you again.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

It sounds like you are saying that sending email isn't working... has it been configured?
Settings>Server Settings>Email Settings.

If you don't see how to set up a saved search (report) to be scheduled to email, here's how it goes.
Run your search. Click "Save as"> Report
Name it... > Click Save
A window pops up and you can change permissions, schedule it, etc... click Schedule...
Follow the form prompts, tell it how often...
Next Screen... choose email.

And if it doesn't work, see the top of my answer. 🙂

If you want to send the results of a search that's part of a panel in a dashboard. Hover over the lower left hand corner of the panel, click on the magnifying glass. That will open the search in the search view... then you can SaveAs...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

kkossery
Communicator

Thanks rsennett.
I should have mentioned my e-mail has been configured and I'm getting reports on other plugins/apps I have configured (SplunkAPPforAWS and Splunk itself)
Although I can configure permissions, I did not see an option to schedule reports for a Dashboard or Alert. I will try and save the search result as a report and see if I can schedule this and get back to you.
Many thanks!

0 Karma

kkossery
Communicator

This works. Thank you.
However, I'm unable to find the report on Splunk if I need to schedule it to a different time or need to edit again. Where do I find this?
I have another question but I'll open another thread for this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...