Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Edit CSV file sent through sendemail command

Poojitha
Communicator
‎12-19-2023 03:18 AM

Hi All,

I am trying to send email using sendemail command with csv as an attachment . Email is getting sent successfully but file is getting named as "unknown-<date_time>". I want to rename this file. Please let me know how we are doing this.

| sendemail
      sendresults=true format=csv
      to=\"$email$\"
      graceful=false
      message="This is a test email"
      subject="Test Email Check"

Also , message and subject is getting truncated. I am getting message body as "This" and Subject as "Test".
Please help me to know what is going wrong.

Help on :
Renaming the csv file.
How to avoid message body and subject getting truncated.

I really appreciate your help on this

Regards,
PNV

0 Karma
Reply

Esky73
Builder
‎02-26-2024 07:52 PM

Came looking for an answer to this as well - seems there has been an idea for this for some time now ..

https://ideas.splunk.com/ideas/EID-I-717 

0 Karma
Reply

Poojitha
Communicator
‎01-05-2024 12:11 PM

@Anonymous  : I am seeing come inconsistency. Once the SPL worked where subject and email body were added as I specified . But sometimes it is not working.
Email is getting sent . 

Internal logs show subject and email body as empty 😞

0 Karma
Reply

Poojitha
Communicator
‎01-05-2024 12:09 PM

@isoutamo  This is how my SPL looks like. Alert is created to run on weekly basis

< my initial search here>
| table hostname owner version 
| outputcsv test.csv
| stats values(owner) as email
| mvexpand email 
| eval subject="Test Alert" ,email_body= "This is test email body"
| map  search="|inputcsv test.csv | where owner=\"$email$\" |
 sendemail sendcsv=true to=\"$email$\" subject=\"$subject$\" message="\$email_body$\""

I created subject and email_body using eval and using in sendemail.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-05-2024 06:17 AM

First thing to verify would be to check your _internal logs for the sendemail.py activity and see whether it reports sending the email with the full subject (you won't see the message contents in the log) or truncated one. This way you'll know if it's something between Splunk and the sendemail.py script or is it something in sendemail.py/between it and your email server.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-05-2024 06:12 AM

Hi

this should work as expected and documented. Only thing is what you have on $email$ and where you have set it? And where you are calling this partially SPL?

I suppose that this csv file prefix is fixed and you cannot change it?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...