Reporting

using sendemail in a dashboard

Builder

I have a dashboard that I want to send an e-mail when the search finishes. When I do the search in the search dashboard, all works fine. When I do the search in the dashboard, I get several copies of the e-mail.
Has anyone experienced this and is there a way to fix this behavior?

Ultra Champion

Try changing it to a savedsearch and referring to that report instead of using an inline search. As a panel it could be getting reloaded or loaded by a few folks or in a few tabs.

0 Karma

Builder

a saved search would work as does each panel with its own search. The problem is in my original problem I have 4 panels using the a base search and this is the case where I get multiple e-mails.

0 Karma

Ultra Champion

Oh! This is a post-processing situation? Hook us up with the whole page so we get the full context and we'll see what we can do. Fair? The snippet you provided earlier seems like a one panel page. Or maybe I've just gotten confused on the problem.

0 Karma

Builder
<dashboard>
  <label>test sendemail</label>
  <row>
    <panel>
      <title>inline search</title>
      <table>
        <search>
          <query>| metasearch index=* OR index=_* 
| stats count by index, host
| sendemail to=&quot;me@domain.com&quot; sendcsv=false subject=&quot;index host&quot;
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <search id="base">
    <query>| metasearch index=* OR index=_* 
| stats count by index, host
| fields count index host 
    </query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <title>post search host</title>
      <table>
        <search base="base">
          <query>
| stats sum(count) as count by host
| sendemail to=&quot;me@domain.com&quot; sendcsv=false subject=&quot;post host&quot;
          </query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>post search index</title>
      <table>
        <search base="base">
          <query>
| stats sum(count) as count by index
| sendemail to=&quot;me@domain.com&quot; sendcsv=false subject=&quot;post index&quot;
          </query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

Ultra Champion

Thank you for sharing the full page. The only other things I would test it I were you is if that behavior changes on different releases (in case it's a bug that was addressed) and if btool shows that the alert_actions.conf has some settings in it causing silliness.

All that said, I'm pessimistic those will produce promising answers for you so I'd suggest opening a support case since it appears feature/functionality is not working as documented. Make sure to outline the key points of this thread so as to expedite your case by reducing support's interest in asking questions we addressed here.

0 Karma

SplunkTrust
SplunkTrust

@fk319, the above dashboard has three sendemail searches. If you get three email each time dashboard loads (refreshes), then that is expected behavior. What is the behavior that you are seeing?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

That would be expected, but I am getting 10-12 e-mails.

0 Karma

SplunkTrust
SplunkTrust

@fk319,

Can you try with the following tstats based SPL:

        <search>
          <query>| tstats count WHERE index=* OR index=_* BY index, host
| sendemail to="abc@def.com" subject="index host" sendcsv=false sendresults=true
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>

You can also try another option to enable schedule PDF delivery of Dashboard via email instead of sendemail command, so that emails are sent out as per predefined schedule(frequency), rather than an email everytune Dashboard is loaded.. You should configure Schedule PDF delivery option following Splunk documenation: http://docs.splunk.com/Documentation/Splunk/latest/Report/GeneratePDFsofyourreportsanddashboards

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Curious. Please post the dash code snippet for the search and for the email send.

Builder
    <panel>
      <title>inline search</title>
      <table>
        <search>
          <query>| metasearch index=* OR index=_* 
| stats count by index, host
| sendemail to=&quot;me@domain.com&quot; sendcsv=false subject=&quot;index host&quot;
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
0 Karma