Combine 3 csv reports and send it in one Email

Shashank_87 · ‎12-04-2019

Hi, I am stuck into a weird problem. I have 3 queries from 3 different source producing a table with a service name and it's error count. Is it possible that I generate 3 reports, attach it in the same email and trigger it as a scheduled report. I know we can use append command but i think that will make the output a bit messy.
Is there any other way?

woodcock · ‎12-04-2019

There are many ways but the best is like this:

|inputlookup append=t report1.csv
| eval which=coalesce(which, "report1.csv")
|inputlookup append=t report2.csv
| eval which=coalesce(which, "report2.csv")
|inputlookup append=t report3.csv
| eval which=coalesce(which, "report3.csv")

Shashank_87 · ‎12-04-2019

@woodcock Hi, Thanks for your quick response. This really works fine. But I have to first output my query results to a CSV and then use the above command to append the results in one csv.

Actually what i was thinking of if we can create 3 separate csv's and attach them together in same mail. Not sure if that is possible?

woodcock · ‎01-01-2020

You can also use loadjob and savedsearch to pull in the results of previous search runs; this will bypass having to write to a file but you run the risk of the searches' TTL expiring and splunk reaping the search job artifacts if you are not careful.

Combine 3 csv reports and send it in one Email

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?