can be achieved if you have _audit index access to query it using Splunk Rest API and having mail functionality enabled.
#Step1 - Find the search_id of savedsearch index=_audit savedsearch_name=<your_search_name> earliest=-20m latest=now | field search_id | Rest API POST method -https://docs.splunk.com/Documentation/Splunk/8.2.0/RESTREF/RESTsearch#search.2Fjobs #Step2 get the results of step1 to retrieve search_id Rest API GET method -https://docs.splunk.com/Documentation/Splunk/8.2.0/RESTREF/RESTsearch#search.2Fjobs #Step3 retrieve the search job results of savedsearch REST API GET Method - https://docs.splunk.com/Documentation/Splunk/8.2.0/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D.2Fresults -> output the results to a file #Step4 use the linux sendmail command to send results to your required email, assuming you have SMTP enabled in linux
An upvote would be appreciated and accept solution if it helps!
Reports functionality having trigger action Email is one of the action if you want to enable then at 08 AM you will get Email. In UI go to Edit -> schedule -> trigger Actions -> Email and fill in details required and check the additional options like send pdf, results etc.
Just wondering why you want to push it from CLI is this for ad-hoc basis rather than every days 08 AM?
Backed savedsearches.conf looks like this,
## cron is indicaive [your_saved_search_report_name] action.email = 1 action.email.sendpdf = 1 action.email.sendresults = 1 action.email.to = firstname.lastname@example.org alert.track = 0 cron_schedule = 0 6 * * 1 enableSched = 1
An upvote would be appreciated if it helps!