Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use fields as tokens in scheduled report emails, but not in visualizations?

el_ster
Explorer
‎12-11-2015 09:56 AM

Dear experts,

I defined the below mentioned pivot to generate a monthly report of the most frequently used URL paths on a web server. In the email sent by the scheduled report, I would like to show the name of the month and current year. My idea is to use the auto-extracted fields date_month and date_year as tokens in the email ( $report.date_month$, $report.date_year$). It is acceptable to show these two attributes in the statistics part of the report, but not in the visualization part (a bar chart). Is there any way to make these two fields invisible in the chart?

Also other approaches to accomplish the functionality are welcome!

| pivot WebServer_KPIs Bandwith sum(bytes_out) AS "Bandwith/bytes" first(date_month) AS "Month" min(date_year) AS "Year" SPLITROW application_name AS Apps TOP 10 sum(bytes_out) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

Thanks and br,
Elmar

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-14-2015 03:40 AM

Make 2 searches... one powers the dashboard and one sends email notifications.

Or, send 2 emails... one for each desired output.

Or, make a dashboard with both searches. One search is data table and has fields you're looking for... next search is visualization with | fields - field1 field2 or otherwise discard/dont use the fields. Then schedule PDF delivery...

0 Karma
Reply

el_ster
Explorer
‎01-11-2016 05:50 AM

Hi, thanks for your answer. Scheduling PDF delivery for a whole dashboard is a promising approach. However, the requirement is to send a bar chart as email notification with month and year of the previous month search in the email subject but not visible in the bar chart. For me, it looks like other than for reports it is not possible to use search result fields as email tokens, right? So I am not yet able to enter the month and year values related to the previous month search into the email subject on the one hand without showing these two values in the bar chart on the other hand....

Any further ideas still welcome,
Elmar

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-12-2016 07:05 PM

Seems to me if you're using the ...|sendemail command, you should be able to pass tokens to it with map command.

mainSearch .... | ... | map search="|sendemail subject='$tokenFromMainSearch$'"

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Map

0 Karma
Reply

woodcock
Esteemed Legend
‎12-11-2015 11:45 AM

I would not use the built-in fields at all; they are not what you think they are. Read this:

https://answers.splunk.com/answers/243017/counting-the-total-number-of-days-for-all-time.html

0 Karma
Reply

el_ster
Explorer
‎12-14-2015 12:47 AM

Hello,

Thank you for the interesting hint. However, even if I use some self-defined fields instead of the built-in ones, this still does not solve my problem how to use those as email tokens without displaying them in the related bar chart.

So any further suggestions how to solve the actual problems are still welcome 🙂

Thanks and br,
Elmar

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...