Getting Data In

Configure Scheduled Search to send out csv file in email instead of inline results

anantshah
Path Finder

Hello,

I have a scheduled search which sends out alerts when certain criteria matches. Currently the results are sent inline in the email. Is there a way to send the results in csv format as a attachment? We have several searches and i do not want to make the change global.

Splunk Version 4.1.6

0 Karma
2 Solutions

Simeon
Splunk Employee
Splunk Employee

You should be able to do this by editing the alert_actions.conf file in $SPLUNK_HOME/etc/system/local. Specifically, create/add the email stanza to specify csv non-inline results to be included.:

[email]
format = csv
sendresults = 1
inline = 0

For reference, see the alert_actions.conf.spec file.

View solution in original post

0 Karma

mohitvohra109
Explorer

There's another way that I'm using these days: Use the sendemail command to send the files as csv and add it to a search; then schedule the search to run at specific time. For example:

"search pattern1" | ..... | table col1,col2... | sendemail to= format=html subject="Your subject" server=testgateway.sample.com sendresults=true inline=false graceful=true

Two things used here: the table command to tabularize the search results, and the sendemail command.

You can replace the above sample values with your own values. The key options used in this command are: 'inline=false' and 'graceful=true'.

If we choose 'inline=false', it automatically will append the results in .csv format (the file will be named splunk-results.csv so you can save it as per your need.

'graceful=true' this means that Splunk will exit gracefully in case it faces any issue while trying to send the mail.

For more info on table and sendemail, refer to Splunk help section; it has great examples which you can use.

Hope that helps.

Regards,

Mohit Vohra

View solution in original post

mohitvohra109
Explorer

There's another way that I'm using these days: Use the sendemail command to send the files as csv and add it to a search; then schedule the search to run at specific time. For example:

"search pattern1" | ..... | table col1,col2... | sendemail to= format=html subject="Your subject" server=testgateway.sample.com sendresults=true inline=false graceful=true

Two things used here: the table command to tabularize the search results, and the sendemail command.

You can replace the above sample values with your own values. The key options used in this command are: 'inline=false' and 'graceful=true'.

If we choose 'inline=false', it automatically will append the results in .csv format (the file will be named splunk-results.csv so you can save it as per your need.

'graceful=true' this means that Splunk will exit gracefully in case it faces any issue while trying to send the mail.

For more info on table and sendemail, refer to Splunk help section; it has great examples which you can use.

Hope that helps.

Regards,

Mohit Vohra

anantshah
Path Finder

Can i configure it to send email only if there are results?

0 Karma

anantshah
Path Finder

Worked like a charm. Thanks!!

0 Karma

Simeon
Splunk Employee
Splunk Employee

You should be able to do this by editing the alert_actions.conf file in $SPLUNK_HOME/etc/system/local. Specifically, create/add the email stanza to specify csv non-inline results to be included.:

[email]
format = csv
sendresults = 1
inline = 0

For reference, see the alert_actions.conf.spec file.

0 Karma

Simeon
Splunk Employee
Splunk Employee

This will apply to all emails. Currently, there is no capability to set this for specific alerts.

I highly recommend you create a support case that requests we create this functionality as an enhancement request. I cannot guarantee it will get added to the product, but I do believe this would be useful functionality and it's great that you bring this up as a customer.

0 Karma

anantshah
Path Finder

Will this affect all scheduled alerts? I only want to modify a specific scheduled alert.

Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...