Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Configure Scheduled Search to send out csv file in email instead of inline results

anantshah
Path Finder
‎01-20-2011 07:16 PM

Hello,

I have a scheduled search which sends out alerts when certain criteria matches. Currently the results are sent inline in the email. Is there a way to send the results in csv format as a attachment? We have several searches and i do not want to make the change global.

Splunk Version 4.1.6

0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎01-21-2011 05:59 PM

You should be able to do this by editing the alert_actions.conf file in $SPLUNK_HOME/etc/system/local. Specifically, create/add the email stanza to specify csv non-inline results to be included.:

[email]
format = csv
sendresults = 1
inline = 0

For reference, see the alert_actions.conf.spec file.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mohitvohra109
Explorer
‎03-16-2011 05:31 AM

There's another way that I'm using these days: Use the sendemail command to send the files as csv and add it to a search; then schedule the search to run at specific time. For example:

"search pattern1" | ..... | table col1,col2... | sendemail to= format=html subject="Your subject" server=testgateway.sample.com sendresults=true inline=false graceful=true

Two things used here: the table command to tabularize the search results, and the sendemail command.

You can replace the above sample values with your own values. The key options used in this command are: 'inline=false' and 'graceful=true'.

If we choose 'inline=false', it automatically will append the results in .csv format (the file will be named splunk-results.csv so you can save it as per your need.

'graceful=true' this means that Splunk will exit gracefully in case it faces any issue while trying to send the mail.

For more info on table and sendemail, refer to Splunk help section; it has great examples which you can use.

Hope that helps.

Regards,

Mohit Vohra

View solution in original post

Reply
Solved! Jump to solution
Solution

mohitvohra109
Explorer
‎03-16-2011 05:31 AM

There's another way that I'm using these days: Use the sendemail command to send the files as csv and add it to a search; then schedule the search to run at specific time. For example:

"search pattern1" | ..... | table col1,col2... | sendemail to= format=html subject="Your subject" server=testgateway.sample.com sendresults=true inline=false graceful=true

Two things used here: the table command to tabularize the search results, and the sendemail command.

You can replace the above sample values with your own values. The key options used in this command are: 'inline=false' and 'graceful=true'.

If we choose 'inline=false', it automatically will append the results in .csv format (the file will be named splunk-results.csv so you can save it as per your need.

'graceful=true' this means that Splunk will exit gracefully in case it faces any issue while trying to send the mail.

For more info on table and sendemail, refer to Splunk help section; it has great examples which you can use.

Hope that helps.

Regards,

Mohit Vohra

Reply
Solved! Jump to solution

anantshah
Path Finder
‎04-01-2011 06:08 PM

Can i configure it to send email only if there are results?

0 Karma
Reply
Solved! Jump to solution

anantshah
Path Finder
‎04-01-2011 02:36 PM

Worked like a charm. Thanks!!

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎01-21-2011 05:59 PM

You should be able to do this by editing the alert_actions.conf file in $SPLUNK_HOME/etc/system/local. Specifically, create/add the email stanza to specify csv non-inline results to be included.:

[email]
format = csv
sendresults = 1
inline = 0

For reference, see the alert_actions.conf.spec file.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎01-26-2011 08:00 PM

This will apply to all emails. Currently, there is no capability to set this for specific alerts.

I highly recommend you create a support case that requests we create this functionality as an enhancement request. I cannot guarantee it will get added to the product, but I do believe this would be useful functionality and it's great that you bring this up as a customer.

0 Karma
Reply
Solved! Jump to solution

anantshah
Path Finder
‎01-25-2011 10:19 PM

Will this affect all scheduled alerts? I only want to modify a specific scheduled alert.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...