Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Attempting to use sendemail from dashboard if Checkbox is checked, and e-mail textbox is not null

RNB
Path Finder
‎10-14-2016 06:38 AM

I have created a dashboard consisting of five panels, and I have updated a panel so that an e-mail can be sent when the search for the panel completes. One panel works sporadically, the second doesn't. I am running Splunk version 6.5.0

The dashboard has three inputs for all panels
(1) Time
(2) Dropdown - This is populated with the Hostnames of devices of a specific device type that have sent syslog messages to Splunk within the time window specified in the Time input.
(3) Text - The token name is "emailAddr" with empty Default and Initial values. The Token Suffix is "@domain.name"

The the panel I am attempting to allow for the option to e-mail the results from is configured as follows:
(1) The panel displays events.
(2) Two panel inputs:
(2a) Text - Free form text input with the token "Filter" and a default value of *
(2b) Checkbox - The token is "SendReport" and when checked it contains the sendmail command "| sendemail to $emailAddr$ ..."
(3) The Panels search command is: eventttype=firewall AND $Filter$ $SendReport$

Behaviour:
- The panel with default values will not produce any results in the Event Window. If I remove $SendReport$ from the panel search string the panel with default values consistently returns results in the Event Window.
- If I check (enable) the checkbox with $SendReport$ restored to the panel search string, I get results in the Event Window, but there is a red triangle in the Title line that reads command="sendemail", {} while sending mail to: and I do not receive an e-mail.
- I add my username to the Dashboard text input
- I uncheck the Send email checkbox and the Event Window, the panel's search report "Search is waiting for input..."
- I check the Send e-mail checkbox and the Event Window is populated with results, but no e-mail is sent and the red triangle appears in the Title line, repeating the message identified above. (command=)

To confirm the search is syntactically correct, I expanded the token values (with real values, not the sample values) and this works.

eventtype=firewall AND 192.168.1.1 | sendemail to=user@domain.name subject="Dashboard Report" paperorientation="landscape" papersize="letter" width_sort_columns="true" sendresults="true" server="smtp.domain.name"

Any idea how I can fix the following conditions:
- Display results when the Send email checkbox is unchecked.
- Successfully send e-mail when the Send email

0 Karma
Reply

woodcock
Esteemed Legend
‎12-19-2016 01:02 PM

It REALLY helps to see your XML. Try something like this:

<form>
  <label>Show Hide Using checkbox</label>
  <fieldset submitButton="false">
    <input type="checkbox" token="emailORnot" searchWhenChanged="true">
      <choice value="emailORnot">Email Results?</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table depends="$emailORnot$">
        <search>
          <query>index=_internal | stats count BY sourcetype | sendemail to="user@domain.name" subject="Dashboard Report" paperorientation="landscape" papersize="letter" width_sort_columns="true" sendresults="true" server="smtp.domain.name"</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
    <panel>
      <table rejects="$emailORnot$">
        <search>
          <query>index=_internal | stats count BY sourcetype</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...