Hello fellow Splunkers,
After we updated to the newest version of Splunk ( 6.4) I am seeing the change in my csv's that are being e-mailed out
I have been looking in /splunk/etc/apps/search/bin/sendemail.py
is this the right area to look in?
Any help will be very appreciated.
The CSV files are saved searches that are sent to our ticketing system. The tickets are then sent to outlook and run through a macro to make them easier to work with. Before I upgraded the search head everything was working well, I figure something must have changed do to the resent upgrade.
What version did you upgrade from?
What does the saved search look like?
We upgraded from 6.3.3 to 6.4
As far as what the search looks like are you asking for the search from Splunk? The output to Outlook?
Before the upgrade the file would look like this when I received it in Outlook: splunk-results.csv
After the upgrade the file now has a time stamp trailing the file name and the name changed as well:
Since these are Splunk boards, we should look at how Splunk is generating the CSV file that goes to the ticketing systems. Other parts of the workflow can be discussed in other forums.
What is the saved search that produces the CSV file? The final
outputcsv command is the most interesting part.
The CSV is generated by the send email function in Splunk, you can either set the function to send a saved alert in the email or as an attachment CSV. The reports that are sent in the emails have not been affected, just the ones where we have chosen to send as an attachment.
I don't have experience with sendemail. It appears as though the attachment name is built using the saved search name. Wouldn't advise trying to change it as that would entail mucking around in Splunk's code (which can change in future releases) and could have unfortunate side effects.