I have a scheduled report for the previous day's data that gets emailed. I'm trying to include the previous days date in the subject line.
I've tried evaluating a field ReportDate in which the value is yesterday's date and then hiding the field since I don't want it in the report. I then put $result.ReportDate$, but this of course did not work since that field isn't included.
I don't think there is any other way possible. You probably have to include the field ReportDate in your search results and then use the token
$result.ReportDate$in alert email subject.
Add this to your SPL
| eval _yesterday = strftime(relative_time(now(), "-1d@d"), "%m/%d")
Then reference it as
I am having same issue of adding yesterday's date in my email message. You mentioned to add above eval in SPL. Could you please elaborate how to add it.
I tried to add it by editing sendemail.py but it is not working. Do I need to import any packages to use below code
yesterday = datetime.datetime.now() - datetime.timedelta(days = 1)
ssContent['action.email.message'] = argvals.get('message') + " "+ yesterday.strftime("%d.%m.%Y")
Please help.. Sorry for adding comment in this existing post
I don't think you need to modify sendemail.py in order for this to work. If you copy the line above exactly as it is into your SPL, which is your splunk query, it will create a hidden column that evaluates to the previous day. If you want to see the column remove the underscore from the beginning of the name, do
| eval yesterday = . . . instead. I would suggest to add the line for the date as the last line of your SPL and use a scheduled report to get the email sent out.
Saved Search that is generating the email and add my answer to the bottom of the search string and click the
Save button. Then to back and edit the email
Alert Action associated with the
Saved Search and add
$result._yesterday$ to the email subject.
OK, then be sure to come back here and click
Accept on this answer to close the question and help anybody else coming behind you asking for something similar.
There is a few job property tokens that you could use for this, I think.
in your email, you could use $job.earliestTime$ or $job.latestTime$ to get the earliest or latest time of the search window.