Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Combine 3 csv reports and send it in one Email

Shashank_87
Explorer
‎12-04-2019 02:53 AM

Hi, I am stuck into a weird problem. I have 3 queries from 3 different source producing a table with a service name and it's error count. Is it possible that I generate 3 reports, attach it in the same email and trigger it as a scheduled report. I know we can use append command but i think that will make the output a bit messy.
Is there any other way?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-04-2019 03:32 AM

There are many ways but the best is like this:

|inputlookup append=t report1.csv
| eval which=coalesce(which, "report1.csv")
|inputlookup append=t report2.csv
| eval which=coalesce(which, "report2.csv")
|inputlookup append=t report3.csv
| eval which=coalesce(which, "report3.csv")
0 Karma
Reply

Shashank_87
Explorer
‎12-04-2019 03:56 AM

@woodcock Hi, Thanks for your quick response. This really works fine. But I have to first output my query results to a CSV and then use the above command to append the results in one csv.

Actually what i was thinking of if we can create 3 separate csv's and attach them together in same mail. Not sure if that is possible?

0 Karma
Reply

woodcock
Esteemed Legend
‎01-01-2020 06:29 PM

You can also use loadjob and savedsearch to pull in the results of previous search runs; this will bypass having to write to a file but you run the risk of the searches' TTL expiring and splunk reaping the search job artifacts if you are not careful.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...