All 4 things use the $argument$
syntax. I am trying to use sendemail
inside of a macro
and have tried \$search\$
, $$search$$
, and $$$search$$$
but none works. Is it even possible?
My macro is this:
sendemail
sendresults=true
inline=true
graceful=true
to=whatever@gmail.com
subject="subject"
message="This report alert was generated by search $name$ in $app$ Splunk with this search string: $search$"
And the $name$
, $app$
, and $search$
are being eaten.
See dox here:
https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens
Let me restate my problem. There are multiple things in Splunk that use the $argument$
syntax. The question is: how do I get 2 of those things to work together when they both think that $argument$
is for him. In this case, the 2 things are macro
and sendemail
. How do I get macro
not to mess up the arguments that are intended for sendemail
.
@woodcock It's difficult for me to test. It's sparked a lot of conversation over here. I see someone else can't test it. Do you think you could work this into a run anywhere example of where you are so far? Then people could test in parallel. At a minimum, we could comment on what we tried and what didn't work. At the most, we'd find the solution. Thoughts?
@woodcock I'm not clear on what you mean. I have a simple search:
index=_internal sourcetype=splunkd_access user=efavreau | stats count
Created a macro:
name: testsendemail(3)
definition: sendemail sendresults=true inline=true graceful=true to=me@me.com subject="subject" message="This report alert was generated by search $name$ in $app$ Splunk with this search string: $search$ "
args: name, app, search
Put it all together:
index=_internal sourcetype=splunkd_access user=efavreau
| stats count
| `testsendemail(mytest,FOOAPP,"index=_internal sourcetype=splunkd_access user=efavreau | stats count")`
Ran it in the GUI and that worked for me in v6.6.6. So then I scheduled the report on a cron * * * * * , and that worked too.
Am I missing something?
Let me clarify. I get the email, but the 3 variables do not get dereferenced; they get dropped altogether. so the message
should be This report alert was generated by search This Is The Search Name in AppName Splunk with this search string: index=foo sourcetype=bar ...
but instead I get This report alert was generated by search in Splunk with this search string:
.
Wait a minute. I think I have the answer. As long as the variables for the "other" thing do not match the names of the arguments of my macro, my macro should ignore them (I think)! Testing now...
Did not work.
Isn't the "!" the correct escape character here? Got nothing to test right now..
I think it's $!variable$
This is also a problem for ldapsearch
command as documented (and solved!) here: https://answers.splunk.com/answers/223246/workflow-action-contains-other-variables-how-do-i.html
Unfortunately, the solution was to use a macro!