We have a report (NOT an alert) that has multiple events as a result of some specific search.
It is scheduled to run every hour and email result of a search.
Instead of the report sending the entire report in one email, it sends an email for each event result
For example:
Result of search on Report via GUI :
user1 locked
user2 locked
user3 locked
Report sends 3 emails with "user# locked" in the body of email
Is there any way to make it to send one email with all events on the result without converting it to an alert?
Thank you
We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.
I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email
We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.
I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email
It took a couple of tries for the value to actually set, but once it did it worked perfectly. I needed everything to be sent separately so I set it to false.
Hi,
This may help you:
https://answers.splunk.com/answers/586680/report-creates-multiple-emails-looking-for-single.html
Also try using sendemail
command in search, then schedule report. Refer below command doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Sendemail
@p_gurav
Saw the Q&A at the first link , but it is not really clear what to do. The screen shot is not available on the page , the text advice "-Always in Condition, -Once per search in Alert Mode" doesn't explain what should be changed . For example, there is no alert_mode in Advanced edit of report.
Can you trysendmail
command in search itself.
@p_gurav, I think we can use Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.
I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email