Reporting

Can you compress Splunk reports before sending them as email attachments?

SplunkTrust
SplunkTrust

Hi at all,
I have the problem that, sometimes, some of my reports exceed the eMail attachment limits.
I could reduce the fields in report, but this isn't a good solution because, in this way, I don't satisfy the final customer and the problem could be still present.
I solved the problem by giving the customer the availability to manually run the report, but the customer wasn't fully satisfied.

Is there a way to compress (zip or tar) a report before sending it to the eMail system?
I think that this is an important feature and that it's strange that nobody has implemented it in Splunk.

Bye.
Giuseppe

0 Karma
1 Solution

Esteemed Legend

You can bypass email altogether and use scp or other transfer method. Here is what I have done before. First, modify your search to end in | outputcsv MyBigHonkingFile_scpToFileShare.csv. Then setup a cron job on the Search Head to run every hour looking for files that match an arbitrary naming convention like, *_scpToFileShare.csv inside of the $SPLUNK_HOME/var/run/splunk/dispatch/ directory. When a file is found, it is sent via scp to the fileshare, then erased. No email necessary, or, if you like, an email that just says that the file was transferred. Cake.

View solution in original post

Community Manager
Community Manager

Hi @cusello

Did any of the answers work for you? If they did please go ahead and accept it and if not let the community know if you need more help/clarification with the problem.

Thanks

0 Karma

New Member

You could try to use the "Run a Script" option in the Scheduled Report.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Report/Schedulereports#Run_a_script

You could setup a script that would compress the report and then email it via the server's mail application.

0 Karma

Esteemed Legend

You can bypass email altogether and use scp or other transfer method. Here is what I have done before. First, modify your search to end in | outputcsv MyBigHonkingFile_scpToFileShare.csv. Then setup a cron job on the Search Head to run every hour looking for files that match an arbitrary naming convention like, *_scpToFileShare.csv inside of the $SPLUNK_HOME/var/run/splunk/dispatch/ directory. When a file is found, it is sent via scp to the fileshare, then erased. No email necessary, or, if you like, an email that just says that the file was transferred. Cake.

View solution in original post

Explorer
0 Karma

Path Finder

See if this helps your problem:
https://splunkbase.splunk.com/app/4030/

Esteemed Legend

There are other email options. Try this app, for example.
https://splunkbase.splunk.com/app/2614/

Path Finder

The above suggestion by @woodcock was something I was looking for long time. Thanks @cusello cuand @woodcock

0 Karma

Path Finder

@woodcock provided what I would recommend as well.

0 Karma

SplunkTrust
SplunkTrust

I have to send a CSV file that is usually too large for eMail attachment, this App is only for pdf.
Is there another solution for csv than to create a script?
Bye.
Giuseppe

0 Karma

Esteemed Legend

My solution bypasses email entirely. I think that you meant to put your comment under a different answer @cusello.

0 Karma

Motivator

SplunkTrust
SplunkTrust

I'll try it.
Bye.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!