Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I have the hostname included in a scheduled Splunk report?

dkr3500
Path Finder
‎11-19-2018 12:26 PM

Splunk Enterprise 6.5.3

I have created a report to email me a .pdf . However, the report does not include the hostnames of the servers that it is reporting on.

I am using the following search regex: index=dba host=db5 "Error" OR "Warning" OR "Note"
And it shows host=sdb5 in the selected fields, as well as in the area immediately beneath the log data, but the host (hostname) will not appear in the report that is generated via an email. I only get the timestamp and the event (actual log data).

Is there a way to ensure that the hostname is included as part of the report?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dkr3500
Path Finder
‎12-11-2018 09:49 AM

From Splunk support:

I was able to confirm the same thing from the reports I received in my inbox. The 'host' field was in the body of the email, but the attached PDF report was cut off and did not include the 'host' field in the table. I talked to a few engineers here on my side, and this is a known issue that the PDF generator within Splunk does not work completely well especially on large outputs. Also, there is a known bug
when a field name contains extra whitespace in the beginning or the end, pdf export fails for that column. This issue is fixed in versions 7.0.3 and above. If upgrading Splunk is not an option, we recommend that users export to a CSV for better results and/or use the following PDF generator work arounds:

Take a look at following tools to build similar functionality that is not dependent on the pdf generator:

https://github.com/kalink0/alert_send_screenshot

Katalon Suite is generally used for web UI automation testing, but can be used via the command line to take dashboard screenshots.

https://www.katalon.com (https://www.katalon.com/)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dkr3500
Path Finder
‎12-11-2018 09:49 AM

From Splunk support:

I was able to confirm the same thing from the reports I received in my inbox. The 'host' field was in the body of the email, but the attached PDF report was cut off and did not include the 'host' field in the table. I talked to a few engineers here on my side, and this is a known issue that the PDF generator within Splunk does not work completely well especially on large outputs. Also, there is a known bug
when a field name contains extra whitespace in the beginning or the end, pdf export fails for that column. This issue is fixed in versions 7.0.3 and above. If upgrading Splunk is not an option, we recommend that users export to a CSV for better results and/or use the following PDF generator work arounds:

Take a look at following tools to build similar functionality that is not dependent on the pdf generator:

https://github.com/kalink0/alert_send_screenshot

Katalon Suite is generally used for web UI automation testing, but can be used via the command line to take dashboard screenshots.

https://www.katalon.com (https://www.katalon.com/)

0 Karma
Reply
Solved! Jump to solution

akocak
Contributor
‎11-19-2018 02:32 PM

You should see your host in the PDF with following, I am more concerned for your _time variable that you would need to use "|fieldformat" command to make it human readable.

 index=dba host=db5 ("Error" OR "Warning" OR "Note" )
| table _time host _raw
| fieldformat _time = strftime(_time, "%Y-%m-%d %H:%M:%S")
0 Karma
Reply
Solved! Jump to solution

akocak
Contributor
‎11-19-2018 02:32 PM

BTW, Splunk searches called SPL, regex is a different world.

0 Karma
Reply
Solved! Jump to solution

dkr3500
Path Finder
‎11-20-2018 07:07 AM

Hello @akocak thank you for your help. I have tried your SPL - it is still not showing the host field in the attached .pdf . I have been getting the same table it has the _time column and the _raw column.

Is there anything else I can do?

0 Karma
Reply
Solved! Jump to solution

akocak
Contributor
‎11-20-2018 07:46 AM

can you paste what you see in results ? I am not sure what is the issue.

0 Karma
Reply
Solved! Jump to solution

dkr3500
Path Finder
‎11-20-2018 01:44 PM

https://imgur.com/a/KCotoq0

https://imgur.com/a/sjxkd6S

0 Karma
Reply
Solved! Jump to solution

akocak
Contributor
‎11-21-2018 08:08 AM

interesting, try this :
....
| eval myhost=host
| table _time myhost_raw
...

0 Karma
Reply
Solved! Jump to solution

dkr3500
Path Finder
‎11-21-2018 12:48 PM

@akocak I appreciate your help. That didn't work; it just left the myhost_raw column blank on the .pdf file.

0 Karma
Reply
Solved! Jump to solution

anthonymelita
Contributor
‎11-19-2018 01:44 PM

It sounds like you're sending raw event data. If that is the case and that is what you're going for then you can still dump it into a table.
| table _time host _raw
or
| fields _time host _raw

0 Karma
Reply
Solved! Jump to solution

dkr3500
Path Finder
‎11-19-2018 02:22 PM

Thank you @anthonymelita . Your regex did help when I do "Inline" (table drop-down); it showed the timestamp, hostname, and event in the text of the email it sends out, but there were no changes to the .pdf that is attached - which is really what I need. Is there a way to make the .pdf show the hostname?

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...