i have a dashboard that i want to send me a PDF every week.
that i can do, but i want to know if there is a way to dynamically change the subject of the mail.
i would like the mail to include the dates of last week.
for example, the subject of the mail would be:
Splunk Weekly: 19/2 - 26/2
but the "19/2 - 26/2" would change for every week.
out Splunk version is 6.5.1.
can it be done?
For dashboards, I don't think you can access the earliest and latest time tokens for emails.
When I have a PDF generated, the date of generation is in the attachement name and then I also have the date range as an HTML panel inside the PDF at the top. That was my workaround.
@cmerriman - Thank you for the workaround!
this is actually a good idea, but my superiors have a good time, they see the date range in the mail subject 🙂
i will check if that's possible though
@DalJeanis - this might be stupid to ask, but is there really a way to request future enhancements?
According to this documentation, email supports the
Those should include theses (among others):
$job.earliestTime$: Initial job start time. $job.latestTime$: Latest time recorded for the search job. $job.resultCount$: Number of results a search job returned. $job.runDuration$: Time, in seconds, for the search to complete. $job.messages$: List of error and/or debug messages generated by the search job.
@wookcock - Thank you!
I actually saw these tokens, but they go half way.
this is their output:
the job.latestTime is working actually great, but the earliestTime isn't.
if i could get those to work, and get only the day and month in a format of my desire that would resolve my case 🙂
It does say that Job Information is available in the context of "Alert actions from search" and "Scheduled reports" so it may be why
earliestTime is giving you trouble? I'm not sure it's going to give you what you want. Initial time a search job starts, to me, sounds like "I started this search at 3/1/2017 10:10 am" not "The week started on 2/27/2017" and the latest time recorded for the search job sounds like the timestamp the search finished. I could be wrong though.
Token Description $job.earliestTime$ Initial time a search job starts. $job.eventSearch$ Subset of the search that contains the part of the search before any transforming commands. $job.latestTime$ Latest time recorded for the search job. $job.messages$ List of error and debug messages generated by the search job. $job.resultCount$ Number of results returned by the search job. $job.runDuration$ Time, in seconds, that the search took to complete. $job.sid$ Search ID. $job.label$ Name given to the search job.
You are clearly running a search for
All Time. So run a "smarter" search with a more appropriate timepicker value and you should be good-to-go.
I have been having the same issue. I have not been able to solve it. It may not be possible. If you think about it, a dashboard can have multiple searches, which could have different search periods. So the dashboard itself does not really have a "start time" or earliest.
It would be good to have a way to set tokens in the dashboard, that are available to the email. We are on splunkcloud, and the default schedule creates a default email template with subject "Splunk Dashboard: '$dashboard.label$' Which is an undocumented token as far as I can see. Are there others that are useful??? If you can dynamically set the dashboard label to the search period in the XLM, then it should be available.
I can confirm that I also tried the job.earliestTime and have the same result as you. It is not related to having ALL TIME set for the search.