Solved: Re: Custom date for splunk email subject and attac...

mokers · ‎04-22-2022

Hello Splunk friends,

I'm trying to send a report from Splunk that contains an attached report.

The email subject needs to be last months date, i.e. "My Report Name _ Mar_22", and the same for the email attachment filename.

I currently have this working using hidden field eval values like so, but I've noticed that if my table returns no results, I'll also get no value for last months date.

My Search looks like so:

Index = myIndex Process = myProcess earliest=-1mon@mon latest=now | eval _date_one_month_ago = relative_time (now(), "-1mon@mon") | eval _reporting_date = strftime (_date_one_month_ago, "%b_%Y") | stats count by orgName

Any help would be really appreciated in populating the email subject and attachment name with last months date, without depending on my table to have data.

Thank you

ITWhisperer · ‎04-22-2022

Try something like this

| appendpipe
  [ stats count as _count
  | where _count == 0
  | eval _date_one_month_ago = relative_time (now(), "-1mon@mon")
  | eval _reporting_date = strftime (_date_one_month_ago, "%b_%Y")]

View solution in original post

ITWhisperer · ‎04-22-2022

Try something like this

| appendpipe
  [ stats count as _count
  | where _count == 0
  | eval _date_one_month_ago = relative_time (now(), "-1mon@mon")
  | eval _reporting_date = strftime (_date_one_month_ago, "%b_%Y")]

mokers · ‎04-22-2022

Thank you, that's worked!!

warrenchui · ‎07-19-2023

How to align with the Alert EMail attachment date?

ITWhisperer · ‎07-19-2023

Please raise a new question detailing your specific requirement (rather than hijacking another question which has already been answered).

How to send a report with custom date for Splunk email subject and attachment name?

app

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?