Reporting

Report is creating multiple emails instead of one

mlevsh
Builder

We have a report (NOT an alert) that has multiple events as a result of some specific search.
It is scheduled to run every hour and email result of a search.
Instead of the report sending the entire report in one email, it sends an email for each event result

For example:
Result of search on Report via GUI :
user1 locked
user2 locked
user3 locked

Report sends 3 emails with "user# locked" in the body of email

Is there any way to make it to send one email with all events on the result without converting it to an alert?

Thank you

Labels (1)
0 Karma
1 Solution

mlevsh
Builder

We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

View solution in original post

mlevsh
Builder

We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

christopherreed
Engager

It took a couple of tries for the value to actually set, but once it did it worked perfectly. I needed everything to be sent separately so I set it to false.

0 Karma

p_gurav
Champion

Hi,

This may help you:
https://answers.splunk.com/answers/586680/report-creates-multiple-emails-looking-for-single.html

Also try using sendemail command in search, then schedule report. Refer below command doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Sendemail

0 Karma

mlevsh
Builder

@p_gurav
Saw the Q&A at the first link , but it is not really clear what to do. The screen shot is not available on the page , the text advice "-Always in Condition, -Once per search in Alert Mode" doesn't explain what should be changed . For example, there is no alert_mode in Advanced edit of report.

0 Karma

p_gurav
Champion

Can you trysendmail command in search itself.

0 Karma

mlevsh
Builder

@p_gurav, I think we can use Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...