Splunk Search

How can I have the hostname included in a scheduled Splunk report?

dkr3500
Path Finder

Splunk Enterprise 6.5.3

I have created a report to email me a .pdf . However, the report does not include the hostnames of the servers that it is reporting on.

I am using the following search regex: index=dba host=db5 "Error" OR "Warning" OR "Note"
And it shows host=sdb5 in the selected fields, as well as in the area immediately beneath the log data, but the host (hostname) will not appear in the report that is generated via an email. I only get the timestamp and the event (actual log data).

Is there a way to ensure that the hostname is included as part of the report?

Tags (1)
0 Karma
1 Solution

dkr3500
Path Finder

From Splunk support:


I was able to confirm the same thing from the reports I received in my inbox. The 'host' field was in the body of the email, but the attached PDF report was cut off and did not include the 'host' field in the table. I talked to a few engineers here on my side, and this is a known issue that the PDF generator within Splunk does not work completely well especially on large outputs. Also, there is a known bug
when a field name contains extra whitespace in the beginning or the end, pdf export fails for that column. This issue is fixed in versions 7.0.3 and above. If upgrading Splunk is not an option, we recommend that users export to a CSV for better results and/or use the following PDF generator work arounds:

Take a look at following tools to build similar functionality that is not dependent on the pdf generator:

https://github.com/kalink0/alert_send_screenshot

Katalon Suite is generally used for web UI automation testing, but can be used via the command line to take dashboard screenshots.

https://www.katalon.com (https://www.katalon.com/)


View solution in original post

0 Karma

dkr3500
Path Finder

From Splunk support:


I was able to confirm the same thing from the reports I received in my inbox. The 'host' field was in the body of the email, but the attached PDF report was cut off and did not include the 'host' field in the table. I talked to a few engineers here on my side, and this is a known issue that the PDF generator within Splunk does not work completely well especially on large outputs. Also, there is a known bug
when a field name contains extra whitespace in the beginning or the end, pdf export fails for that column. This issue is fixed in versions 7.0.3 and above. If upgrading Splunk is not an option, we recommend that users export to a CSV for better results and/or use the following PDF generator work arounds:

Take a look at following tools to build similar functionality that is not dependent on the pdf generator:

https://github.com/kalink0/alert_send_screenshot

Katalon Suite is generally used for web UI automation testing, but can be used via the command line to take dashboard screenshots.

https://www.katalon.com (https://www.katalon.com/)


0 Karma

akocak
Contributor

You should see your host in the PDF with following, I am more concerned for your _time variable that you would need to use "|fieldformat" command to make it human readable.

 index=dba host=db5 ("Error" OR "Warning" OR "Note" )
| table _time host _raw
| fieldformat _time = strftime(_time, "%Y-%m-%d %H:%M:%S") 
0 Karma

akocak
Contributor

BTW, Splunk searches called SPL, regex is a different world.

0 Karma

dkr3500
Path Finder

Hello @akocak thank you for your help. I have tried your SPL - it is still not showing the host field in the attached .pdf . I have been getting the same table it has the _time column and the _raw column.

Is there anything else I can do?

0 Karma

akocak
Contributor

can you paste what you see in results ? I am not sure what is the issue.

0 Karma

dkr3500
Path Finder
0 Karma

akocak
Contributor

interesting, try this :
....
| eval myhost=host
| table _time myhost_raw
...

0 Karma

dkr3500
Path Finder

@akocak I appreciate your help. That didn't work; it just left the myhost_raw column blank on the .pdf file.

0 Karma

anthonymelita
Contributor

It sounds like you're sending raw event data. If that is the case and that is what you're going for then you can still dump it into a table.
| table _time host _raw
or
| fields _time host _raw

0 Karma

dkr3500
Path Finder

Thank you @anthonymelita . Your regex did help when I do "Inline" (table drop-down); it showed the timestamp, hostname, and event in the text of the email it sends out, but there were no changes to the .pdf that is attached - which is really what I need. Is there a way to make the .pdf show the hostname?

Thanks.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...