Hi at all,
I have the problem that, sometimes, some of my reports exceed the eMail attachment limits.
I could reduce the fields in report, but this isn't a good solution because, in this way, I don't satisfy the final customer and the problem could be still present.
I solved the problem by giving the customer the availability to manually run the report, but the customer wasn't fully satisfied.
Is there a way to compress (zip or tar) a report before sending it to the eMail system?
I think that this is an important feature and that it's strange that nobody has implemented it in Splunk.
Bye.
Giuseppe
You can bypass email altogether and use scp
or other transfer method. Here is what I have done before. First, modify your search to end in | outputcsv MyBigHonkingFile_scpToFileShare.csv
. Then setup a cron job
on the Search Head to run every hour looking for files that match an arbitrary naming convention like, *_scpToFileShare.csv
inside of the $SPLUNK_HOME/var/run/splunk/dispatch/
directory. When a file is found, it is sent via scp
to the fileshare, then erased. No email necessary, or, if you like, an email that just says that the file was transferred. Cake.