How to set attachment name in sendemail command

daniel_splunk · ‎01-25-2018

I try to send alert in search app with the following command.

..... | sendemail to=myemail@myemail.com message="Test alert by using sendemail" content_type=html sendresults=true sendcsv=true inline=false

The csv file attached is always unknown-2018-01-26.csv

I know that the attachment filename is come from the following configure.

alert_actions.conf

[email]
# Specify the file name of the attachment
# Supported tokens are [type,app,owner,name,time] 
reportFileName = $name$-$time:%Y-%m-%d$

Are there any way to change the attachment filename as a parameter and pass it from the search command.

joseft · ‎08-09-2019

OK, I finally worked this out.
1) Copy sendemail.py in $SPLUNK_HOME/etc/apps/search/bin to sendemailcustom.py (NOTE if you name it sendemail_custom.py Splunkwill find sendemail first, so best practice is not to use underscores in the name)
2) edit line #336 as in the answer above
if argvals.get('attachment_name'):
ssContent['action.email.reportFileName'] = argvals.get('attachment_name')
3) in $SPLUNK_HOME/etc/apps/search/local/commands.conf add:
[sendemailcustom]
filename = sendemailcustom.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
is_risky = true
supports_multivalues = true

4) to make the command line format nicely, go to $SPLUNK_HOME/etc/system/default/searchbnf.conf and copy the sendemail section with all the parameters to $SPLUNK_HOME/etc/system/local/searchbnf.conf
5) change references to sendemail to sendemailcustom
6) add the following:
[attachment_name-option]
syntax = attachment_name=
description = The filename of the attachment.

Save the file and restart Splunk. Presto a custom sendemail command with help, prompts and an option for a filename

493669 · ‎01-25-2018

Hi @daniel,
you can modify the default splunk python script, as this is the script that actually send the emails. It resides in:
$SPLUNK_HOME/etc/apps/search/bin/sendemail.py . To rename the attached csv name , rename the default filename (
filename = "splunk-results.csv")
I advice you to see this:
https://answers.splunk.com/answers/2641/how-do-i-customize-scheduled-search-alert-emails.html

daniel_splunk · ‎01-25-2018

You can use below procedure to workaround this.
However, please noticed that after changing the script, I don't think Splunk will support that.

If you want to change the attachment file name when using search app by using sendemail,

add the following to line #336 in .../etc/apps/search/bin/sendemail.py

if argvals.get('attachment_name'): 
ssContent['action.email.reportFileName'] = argvals.get('attachment_name')

When sending alert in search app, pass the attachment name to attachment_name. Your alert search will be like this.

..... | sendemail to=myemail@myemail.com message="Test alert by using sendemail" content_type=html sendresults=true sendcsv=true inline=false attachment_name="my_attachment"

dominiquevocat · ‎09-14-2021

any update for splunk 8.2? where does this need to be placed? (lso it would be great if it was in the base product)

How to set attachment name in sendemail command

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!