Reporting

Report is creating multiple emails instead of one

mlevsh
Builder

We have a report (NOT an alert) that has multiple events as a result of some specific search.
It is scheduled to run every hour and email result of a search.
Instead of the report sending the entire report in one email, it sends an email for each event result

For example:
Result of search on Report via GUI :
user1 locked
user2 locked
user3 locked

Report sends 3 emails with "user# locked" in the body of email

Is there any way to make it to send one email with all events on the result without converting it to an alert?

Thank you

Labels (1)
0 Karma
1 Solution

mlevsh
Builder

We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

View solution in original post

mlevsh
Builder

We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

christopherreed
Engager

It took a couple of tries for the value to actually set, but once it did it worked perfectly. I needed everything to be sent separately so I set it to false.

0 Karma

p_gurav
Champion

Hi,

This may help you:
https://answers.splunk.com/answers/586680/report-creates-multiple-emails-looking-for-single.html

Also try using sendemail command in search, then schedule report. Refer below command doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Sendemail

0 Karma

mlevsh
Builder

@p_gurav
Saw the Q&A at the first link , but it is not really clear what to do. The screen shot is not available on the page , the text advice "-Always in Condition, -Once per search in Alert Mode" doesn't explain what should be changed . For example, there is no alert_mode in Advanced edit of report.

0 Karma

p_gurav
Champion

Can you trysendmail command in search itself.

0 Karma

mlevsh
Builder

@p_gurav, I think we can use Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...