Other Usage

How to set attachment name in sendemail command

daniel_splunk
Splunk Employee
Splunk Employee

I try to send alert in search app with the following command.

..... | sendemail to=myemail@myemail.com message="Test alert by using sendemail" content_type=html sendresults=true sendcsv=true inline=false

The csv file attached is always unknown-2018-01-26.csv

I know that the attachment filename is come from the following configure.

alert_actions.conf

[email]
# Specify the file name of the attachment
# Supported tokens are [type,app,owner,name,time] 
reportFileName = $name$-$time:%Y-%m-%d$

Are there any way to change the attachment filename as a parameter and pass it from the search command.

Tags (1)

joseft
Explorer

OK, I finally worked this out.
1) Copy sendemail.py in $SPLUNK_HOME/etc/apps/search/bin to sendemailcustom.py (NOTE if you name it sendemail_custom.py Splunkwill find sendemail first, so best practice is not to use underscores in the name)
2) edit line #336 as in the answer above
if argvals.get('attachment_name'):
ssContent['action.email.reportFileName'] = argvals.get('attachment_name')
3) in $SPLUNK_HOME/etc/apps/search/local/commands.conf add:
[sendemailcustom]
filename = sendemailcustom.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
is_risky = true
supports_multivalues = true

4) to make the command line format nicely, go to $SPLUNK_HOME/etc/system/default/searchbnf.conf and copy the sendemail section with all the parameters to $SPLUNK_HOME/etc/system/local/searchbnf.conf
5) change references to sendemail to sendemailcustom
6) add the following:
[attachment_name-option]
syntax = attachment_name=
description = The filename of the attachment.

Save the file and restart Splunk. Presto a custom sendemail command with help, prompts and an option for a filename

0 Karma

493669
Super Champion

Hi @daniel,
you can modify the default splunk python script, as this is the script that actually send the emails. It resides in:
$SPLUNK_HOME/etc/apps/search/bin/sendemail.py . To rename the attached csv name , rename the default filename (
filename = "splunk-results.csv")
I advice you to see this:
https://answers.splunk.com/answers/2641/how-do-i-customize-scheduled-search-alert-emails.html

0 Karma

daniel_splunk
Splunk Employee
Splunk Employee

You can use below procedure to workaround this.
However, please noticed that after changing the script, I don't think Splunk will support that.

If you want to change the attachment file name when using search app by using sendemail,

add the following to line #336 in .../etc/apps/search/bin/sendemail.py

if argvals.get('attachment_name'): 
ssContent['action.email.reportFileName'] = argvals.get('attachment_name') 

When sending alert in search app, pass the attachment name to attachment_name. Your alert search will be like this.

..... | sendemail to=myemail@myemail.com message="Test alert by using sendemail" content_type=html sendresults=true sendcsv=true inline=false attachment_name="my_attachment"

dominiquevocat
Motivator

any update for splunk 8.2? where does this need to be placed? (lso it would be great if it was in the base product)

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...