Reporting
Highlighted

Report is creating multiple emails instead of one

Builder

We have a report (NOT an alert) that has multiple events as a result of some specific search.
It is scheduled to run every hour and email result of a search.
Instead of the report sending the entire report in one email, it sends an email for each event result

For example:
Result of search on Report via GUI :
user1 locked
user2 locked
user3 locked

Report sends 3 emails with "user# locked" in the body of email

Is there any way to make it to send one email with all events on the result without converting it to an alert?

Thank you

Labels (1)
0 Karma
Highlighted

Re: Report is creating multiple emails instead of one

Champion

Hi,

This may help you:
https://answers.splunk.com/answers/586680/report-creates-multiple-emails-looking-for-single.html

Also try using sendemail command in search, then schedule report. Refer below command doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Sendemail

0 Karma
Highlighted

Re: Report is creating multiple emails instead of one

Builder

@pgurav
Saw the Q&A at the first link , but it is not really clear what to do. The screen shot is not available on the page , the text advice "-Always in Condition, -Once per search in Alert Mode" doesn't explain what should be changed . For example, there is no alert
mode in Advanced edit of report.

0 Karma
Highlighted

Re: Report is creating multiple emails instead of one

Champion

Can you trysendmail command in search itself.

0 Karma
Highlighted

Re: Report is creating multiple emails instead of one

Builder

@pgurav, I think we can use Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digestmode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digestmode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digestmode was set to "false". After changing it to "true" I got just one email

0 Karma
Highlighted

Re: Report is creating multiple emails instead of one

Builder

We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digestmode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digestmode was set to "false". After changing it to "true" I got just one email

View solution in original post

Highlighted

Re: Report is creating multiple emails instead of one

It took a couple of tries for the value to actually set, but once it did it worked perfectly. I needed everything to be sent separately so I set it to false.

0 Karma