Reporting

How do I add yesterday's date to an emailed report subject?

matstap
Communicator

I have a scheduled report for the previous day's data that gets emailed. I'm trying to include the previous days date in the subject line.

I've tried evaluating a field ReportDate in which the value is yesterday's date and then hiding the field since I don't want it in the report. I then put $result.ReportDate$, but this of course did not work since that field isn't included.

Advice?

0 Karma

cmerriman
Super Champion

There is a few job property tokens that you could use for this, I think.
in your email, you could use $job.earliestTime$ or $job.latestTime$ to get the earliest or latest time of the search window.

https://docs.splunk.com/Documentation/SplunkCloud/latest/Alert/EmailNotificationTokens#Job_informati...

0 Karma

woodcock
Esteemed Legend

Add this to your SPL

| eval _yesterday = strftime(relative_time(now(), "-1d@d"), "%m/%d")

Then reference it as $result._yesterday$

poddraj
Explorer

Hi Woodcock,

I am having same issue of adding yesterday's date in my email message. You mentioned to add above eval in SPL. Could you please elaborate how to add it.

I tried to add it by editing sendemail.py but it is not working. Do I need to import any packages to use below code
yesterday = datetime.datetime.now() - datetime.timedelta(days = 1)
ssContent['action.email.message'] = argvals.get('message') + " "+ yesterday.strftime("%d.%m.%Y")

Please help.. Sorry for adding comment in this existing post

0 Karma

woodcock
Esteemed Legend

Open the Saved Search that is generating the email and add my answer to the bottom of the search string and click the Save button. Then to back and edit the email Alert Action associated with the Saved Search and add $result._yesterday$ to the email subject.

0 Karma

poddraj
Explorer

Thanks Woodcock, that worked as perfect as I am looking for..

woodcock
Esteemed Legend

OK, then be sure to come back here and click Accept on this answer to close the question and help anybody else coming behind you asking for something similar.

0 Karma

harfel
Explorer

I don't think you need to modify sendemail.py in order for this to work. If you copy the line above exactly as it is into your SPL, which is your splunk query, it will create a hidden column that evaluates to the previous day. If you want to see the column remove the underscore from the beginning of the name, do | eval yesterday = . . . instead. I would suggest to add the line for the date as the last line of your SPL and use a scheduled report to get the email sent out.

0 Karma

somesoni2
Revered Legend

I don't think there is any other way possible. You probably have to include the field ReportDate in your search results and then use the token $result.ReportDate$in alert email subject.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...