I try to send alert in search app with the following command.
..... | sendemail firstname.lastname@example.org message="Test alert by using sendemail" content_type=html sendresults=true sendcsv=true inline=false
The csv file attached is always unknown-2018-01-26.csv
I know that the attachment filename is come from the following configure.
[email] # Specify the file name of the attachment # Supported tokens are [type,app,owner,name,time] reportFileName = $name$-$time:%Y-%m-%d$
Are there any way to change the attachment filename as a parameter and pass it from the search command.
OK, I finally worked this out.
1) Copy sendemail.py in $SPLUNK_HOME/etc/apps/search/bin to sendemailcustom.py (NOTE if you name it sendemail_custom.py Splunkwill find sendemail first, so best practice is not to use underscores in the name)
2) edit line #336 as in the answer above
ssContent['action.email.reportFileName'] = argvals.get('attachment_name')
3) in $SPLUNK_HOME/etc/apps/search/local/commands.conf add:
filename = sendemailcustom.py
streaming = false
run_in_preview = false
passauth = true
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
is_risky = true
supports_multivalues = true
4) to make the command line format nicely, go to $SPLUNK_HOME/etc/system/default/searchbnf.conf and copy the sendemail section with all the parameters to $SPLUNK_HOME/etc/system/local/searchbnf.conf
5) change references to sendemail to sendemailcustom
6) add the following:
syntax = attachment_name=
description = The filename of the attachment.
Save the file and restart Splunk. Presto a custom sendemail command with help, prompts and an option for a filename
you can modify the default splunk python script, as this is the script that actually send the emails. It resides in:
$SPLUNK_HOME/etc/apps/search/bin/sendemail.py . To rename the attached csv name , rename the default filename (
filename = "splunk-results.csv")
I advice you to see this:
You can use below procedure to workaround this.
However, please noticed that after changing the script, I don't think Splunk will support that.
If you want to change the attachment file name when using search app by using sendemail,
add the following to line #336 in .../etc/apps/search/bin/sendemail.py
if argvals.get('attachment_name'): ssContent['action.email.reportFileName'] = argvals.get('attachment_name')
When sending alert in search app, pass the attachment name to attachment_name. Your alert search will be like this.
..... | sendemail email@example.com message="Test alert by using sendemail" content_type=html sendresults=true sendcsv=true inline=false attachment_name="my_attachment"