I'm trying to configure the latest version of Splunk App for Windows Infrastructure to send reports by e-mail and I cannot find any way of doing it so far. I also tried saving a search result as an alert and scheduled it, but did not see it working either. To make it worse, I'm unable to find the Alert either. I'm logged in as Admin and I'm making the changes as the Admin user itself.
Question - Can we schedule reports for this app?
It sounds like you are saying that sending email isn't working... has it been configured?
Settings>Server Settings>Email Settings.
If you don't see how to set up a saved search (report) to be scheduled to email, here's how it goes.
Run your search. Click "Save as"> Report
Name it... > Click Save
A window pops up and you can change permissions, schedule it, etc... click Schedule...
Follow the form prompts, tell it how often...
Next Screen... choose email.
And if it doesn't work, see the top of my answer. 🙂
If you want to send the results of a search that's part of a panel in a dashboard. Hover over the lower left hand corner of the panel, click on the magnifying glass. That will open the search in the search view... then you can SaveAs...
I should have mentioned my e-mail has been configured and I'm getting reports on other plugins/apps I have configured (SplunkAPPforAWS and Splunk itself)
Although I can configure permissions, I did not see an option to schedule reports for a Dashboard or Alert. I will try and save the search result as a report and see if I can schedule this and get back to you.
This works. Thank you.
However, I'm unable to find the report on Splunk if I need to schedule it to a different time or need to edit again. Where do I find this?
I have another question but I'll open another thread for this.
The reports will be under the file $Splunk_home/etc/apps/appname/local/savedsearches.conf
I wasn't able to find it on the front end GUI though
You've got a typo there. There is no $SPLUNKHOME/etc/apps/local folder. It's going to be .../apps/someappname.
When you click SaveAs you enter the name and then there is a second dialog screen that presents you with the option to change Permissions, Schedule it, Accelerate or Embed the report. most of us just click "View" because it's a big green button... but if you chose Permissions, you get another dialog window that lets you choose:
Owner|App|All Apps. It shows you that the current setting is "Owner" because everything you do via the GUI that is not a global act (like building an index) is initially saved as owned by you, and 'private'. now if you do nothing, that search is saved under $SPLUNKHOME/etc/users/yourusername/appname/local/savedsearches.conf. Usually, when you can't find something, you were probably in the search app... if you look under your users dir... you'll find all the apps where you saved stuff and never changed the permissions to share it out to others.
To find a lost saved search via the GUI...the first place to check is in the search app... Click on Reports in the menu.
you will likely see a giant list as the default view is "ALL". Click "yours". If that isn't where it is... then click on Settings>Searches, reports, alerts. You'll see a list. Change the app context to "all" change the owner to "yourusername" and if there are still lots... there is a search box on the upper right hand corner.
Thanks, I corrected it.
I didn't see my reports on the search app. Maybe I should share my Report/Alert Globally/Public. I'll figure this out. Thank you again.