Reporting

Is there a way to include a brief summary of search results in the body of an email for a scheduled report?

wena1213
Engager

Hello experts,

Is there a way to put a brief summary of the search results in an automated report, specifically the body of an email?
For example: I'd like the report search to be about all the users who logged in. Attached is a CSV of all events (results of search). In the body I'd like it to only display total login attempts.

What is the best way to accomplish this? Perhaps it would require two separate emails or a custom script to generate the email. Thank you!

0 Karma
1 Solution

somesoni2
Revered Legend

In Splunk 6.3+, you can access the search result's fields in your email body. So what you need to do is to update the search to include the total login attempts (may be using an eventstats command), say with fieldname as total_login_attemps and then use $result.total_login_attemps$ in the email body.

See this link for more details
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Emailnotification#Tokens_available_from_resu...

View solution in original post

somesoni2
Revered Legend

In Splunk 6.3+, you can access the search result's fields in your email body. So what you need to do is to update the search to include the total login attempts (may be using an eventstats command), say with fieldname as total_login_attemps and then use $result.total_login_attemps$ in the email body.

See this link for more details
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Emailnotification#Tokens_available_from_resu...

wena1213
Engager

Yes, this works for putting values in the email body.

Still trying to figure out how to get just the stats/total count in the body while having all events as an attachment.

index=something
| stats count(description) as event_counts by description

-this will give me the exact summary table but will not include any other tables/events

| eventstats count(eval(description="login")) as Logins by description 
| eventstats count(eval(description="logout")) as Logouts by description 

-This will give me total of each event-description but only for it's respective event.
EX: Logins might be 10 but only on a Login event. Logouts will be zero. Logouts on a logout event might be 9 but only on Logout event.

If anyone has any tips I would appreciate it. Basically trying to run a report with stats as the body and verbose as the CSV attachment.

0 Karma

wena1213
Engager

I think this is what I am looking for. Need to test it out. Thank you for the prompt response!

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...