Solved: Re: Can you compress Splunk reports before sending...

gcusello · ‎08-27-2018

Hi at all,
I have the problem that, sometimes, some of my reports exceed the eMail attachment limits.
I could reduce the fields in report, but this isn't a good solution because, in this way, I don't satisfy the final customer and the problem could be still present.
I solved the problem by giving the customer the availability to manually run the report, but the customer wasn't fully satisfied.

Is there a way to compress (zip or tar) a report before sending it to the eMail system?
I think that this is an important feature and that it's strange that nobody has implemented it in Splunk.

Bye.
Giuseppe

woodcock · ‎09-05-2018

You can bypass email altogether and use scp or other transfer method. Here is what I have done before. First, modify your search to end in | outputcsv MyBigHonkingFile_scpToFileShare.csv. Then setup a cron job on the Search Head to run every hour looking for files that match an arbitrary naming convention like, *_scpToFileShare.csv inside of the $SPLUNK_HOME/var/run/splunk/dispatch/ directory. When a file is found, it is sent via scp to the fileshare, then erased. No email necessary, or, if you like, an email that just says that the file was transferred. Cake.

View solution in original post

Anam · ‎09-17-2018

Hi @cusello

Did any of the answers work for you? If they did please go ahead and accept it and if not let the community know if you need more help/clarification with the problem.

Thanks

Nahra · ‎09-10-2018

You could try to use the "Run a Script" option in the Scheduled Report.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Report/Schedulereports#Run_a_script

You could setup a script that would compress the report and then email it via the server's mail application.

woodcock · ‎09-05-2018

You can bypass email altogether and use scp or other transfer method. Here is what I have done before. First, modify your search to end in | outputcsv MyBigHonkingFile_scpToFileShare.csv. Then setup a cron job on the Search Head to run every hour looking for files that match an arbitrary naming convention like, *_scpToFileShare.csv inside of the $SPLUNK_HOME/var/run/splunk/dispatch/ directory. When a file is found, it is sent via scp to the fileshare, then erased. No email necessary, or, if you like, an email that just says that the file was transferred. Cake.

brolo · ‎09-05-2018

Have you tried to go through the REST api?

http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/ExportdatausingRESTAPI

Noah_Woodcock · ‎09-04-2018

See if this helps your problem:
https://splunkbase.splunk.com/app/4030/

woodcock · ‎09-04-2018

There are other email options. Try this app, for example.
https://splunkbase.splunk.com/app/2614/

vidhyaArumalla · ‎09-04-2018

The above suggestion by @woodcock was something I was looking for long time. Thanks @cusello cuand @woodcock

Noah_Woodcock · ‎09-04-2018

@woodcock provided what I would recommend as well.

gcusello · ‎09-04-2018

I have to send a CSV file that is usually too large for eMail attachment, this App is only for pdf.
Is there another solution for csv than to create a script?
Bye.
Giuseppe

woodcock · ‎10-20-2018

My solution bypasses email entirely. I think that you meant to put your comment under a different answer @cusello.

deepashri_123 · ‎08-27-2018

Hi cusello,

You can refer this answer and check if that helps!!:
https://answers.splunk.com/answers/140208/how-to-compress-csv-file-and-email-it-on-unix-platform.htm...

gcusello · ‎09-04-2018

I'll try it.
Bye.
Giuseppe

Can you compress Splunk reports before sending them as email attachments?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM