I use sendemail command in scheduled search which runs every 5 minutes .
search looks like
index=myindex user=* | table user host source| sendemail.py to="email@example.com" subject="SPLUNK alert" sendresults=true server=18.104.22.168
Even there are no results i receive message with text "No results".
Is it possible to exclude such messages?
You could change your search to a regular alert and remove the sendemail command from the search. Then you get features such as filtering for number of results > 0 through the alert configuration.
Yes I had to choose this way and now i am modifying sendemail.py in search app.
Yup, those are hardcoded into the sendemail command. You can copy that python file and add your own command to splunk, say "mysendemail", and use that in alert_actions.conf. In there you can change how you'd like your mails to look.
But i will get alert name, link to results and etc. even if i turn off pdf delivery and include inline results(
Turn off PDF delivery then, you won't get an empty graph anymore.
yes, it is pdf attachment. My main goal is to get only table without message headers(alert name, link to results and etc.)
Is that delivered as a PDF attachment?
something like result of chart command execution but it is empty and has legend with specified field names which I used in my search (user host source).
What do you mean by empty graph above it?
Sure but when I make it i receive on email table with my results and empty graph above it. I do not know where does this graph originates from? So I tried sendemail command.