Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk report on demand

SS1
Path Finder
‎06-17-2021 03:57 PM

Hi,

I have a report which is scheduled to run every day at 8 AM. 

Is it possible to generate that report to email address X by executing a command via CLI ?

0 Karma
Reply

SS1
Path Finder
‎06-17-2021 06:40 PM

Just wanted to see if i can issue a command via CLI at 8:15 AM and generate that report ?

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-17-2021 08:30 PM

Hi @SS1 

can be achieved if you have _audit index access to query it using Splunk Rest API and having mail functionality enabled.

 

 

#Step1 - Find the search_id of savedsearch
index=_audit savedsearch_name=<your_search_name> earliest=-20m latest=now | field search_id |  
Rest API POST method -https://docs.splunk.com/Documentation/Splunk/8.2.0/RESTREF/RESTsearch#search.2Fjobs

#Step2 get the results of step1 to retrieve search_id
Rest API GET method -https://docs.splunk.com/Documentation/Splunk/8.2.0/RESTREF/RESTsearch#search.2Fjobs

#Step3 retrieve the search job results of savedsearch
REST API GET Method -
https://docs.splunk.com/Documentation/Splunk/8.2.0/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D.2Fresults
-> output the results to a file

#Step4 use the linux sendmail command to send results to your required email, assuming you have SMTP enabled in linux

 

 

 -----

An upvote would be appreciated and accept solution if it helps!

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-17-2021 06:20 PM

Hi @SS1 

Reports functionality having trigger action Email is one of the action if you want to enable then at 08 AM you will get Email. In UI go to Edit -> schedule -> trigger Actions -> Email and fill in details required and check the additional options like send pdf, results etc.

Just wondering why you want to push it from CLI is this for ad-hoc basis rather than every days 08 AM?

Backed savedsearches.conf looks like this,

## cron is indicaive
[your_saved_search_report_name]
action.email = 1
action.email.sendpdf = 1
action.email.sendresults = 1
action.email.to = youremails@domain.com
alert.track = 0
cron_schedule = 0 6 * * 1
enableSched = 1

---

An upvote would be appreciated if it helps!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...