Splunk Dev

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Haybuck15
Explorer

We have a report that runs every 24 hours for each of our four sites, and we can't cluster two of the sites together for logistical purposes. For the purposes of this question, let's call them "siteA", "siteB", "siteC", and "siteD".

Our security team has a requirement that this report contain the site name in the subject line, currently this is accomplished by hard coding the site name into four different apps managed from the Deployment Server, however this is quickly becoming unmanageable.

Each Splunk Server contains the site name in the server's hostname. EX: "siteA-searchHead01"

What I'm looking to do here is find a way to configure the emailed out reports to dynamically take the first stanza of the hostname of the server it's run from (everything before the "-" in the above example), and stick that portion of the $server.serverName$ token in the subject line.

If this were outputting as a result in the report I could just use a Job token, however I can't forcibly add this to the report, as these reports go out as PDFs to Auditors, and we need to keep them to just the information currently displayed; an extraneous field would look severely unprofessional.

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Labels (1)
0 Karma

woodcock
Esteemed Legend

Like this:

... | append [
| rest/services/authentication/users splunk_server=local
| dedup splunk_server
| table splunk_server
| lookup dnslookup clienthost AS splunk_server
| lookup dnslookup clientip AS clientip
| rename * AS _* ]

Then you can use $results._splunk_server$, etc.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...