Hi,
I have 4 different reports which don't have any common field, but the application team want all the reports in single email.
It sounds like you are looking to have four separate tables sent in a single email, which is a good use case for building a dashboard that displays the four tables/searches and emails the whole dashboard on a scheduled basis. Here's guidance on how to do that:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Report/GeneratePDFsofyourreportsanddashboards
When we create a report from multiple dashboard panels it would be extracted as a PDF file..., what we need is send multiple reports in csv format in a single mail.
as long as the searches don't hit any limits, you might be able to use |append
and tack all the searches into the same table. You'll need to adjust the alerts to be based on all the fields of interest. http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Append
we can do append but they dont even have any common fields in it.
they don't need a common field.
|makeresults|eval field1="foo"|eval field2="bar"|eval report="report name1"|fields - _time |append [|makeresults|eval field3="value"|eval report="report name2"|fields - _time]
It will just create a new column for the fields that don't match. you could do an eval, though, to bring in what report it's for so the recipients know which lines are for which report.