Splunk Search
Highlighted

How to use fields as tokens in scheduled report emails, but not in visualizations?

Explorer

Dear experts,

I defined the below mentioned pivot to generate a monthly report of the most frequently used URL paths on a web server. In the email sent by the scheduled report, I would like to show the name of the month and current year. My idea is to use the auto-extracted fields datemonth and dateyear as tokens in the email ( $report.date_month$, $report.date_year$). It is acceptable to show these two attributes in the statistics part of the report, but not in the visualization part (a bar chart). Is there any way to make these two fields invisible in the chart?

Also other approaches to accomplish the functionality are welcome!

| pivot WebServer_KPIs Bandwith sum(bytes_out) AS "Bandwith/bytes" first(date_month) AS "Month" min(date_year) AS "Year" SPLITROW application_name AS Apps TOP 10 sum(bytes_out) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

Thanks and br,
Elmar

0 Karma
Highlighted

Re: How to use fields as tokens in scheduled report emails, but not in visualizations?

Esteemed Legend

I would not use the built-in fields at all; they are not what you think they are. Read this:

https://answers.splunk.com/answers/243017/counting-the-total-number-of-days-for-all-time.html

0 Karma
Highlighted

Re: How to use fields as tokens in scheduled report emails, but not in visualizations?

Explorer

Hello,

Thank you for the interesting hint. However, even if I use some self-defined fields instead of the built-in ones, this still does not solve my problem how to use those as email tokens without displaying them in the related bar chart.

So any further suggestions how to solve the actual problems are still welcome 🙂

Thanks and br,
Elmar

0 Karma
Highlighted

Re: How to use fields as tokens in scheduled report emails, but not in visualizations?

SplunkTrust
SplunkTrust

Make 2 searches... one powers the dashboard and one sends email notifications.

Or, send 2 emails... one for each desired output.

Or, make a dashboard with both searches. One search is data table and has fields you're looking for... next search is visualization with | fields - field1 field2 or otherwise discard/dont use the fields. Then schedule PDF delivery...

0 Karma
Highlighted

Re: How to use fields as tokens in scheduled report emails, but not in visualizations?

Explorer

Hi, thanks for your answer. Scheduling PDF delivery for a whole dashboard is a promising approach. However, the requirement is to send a bar chart as email notification with month and year of the previous month search in the email subject but not visible in the bar chart. For me, it looks like other than for reports it is not possible to use search result fields as email tokens, right? So I am not yet able to enter the month and year values related to the previous month search into the email subject on the one hand without showing these two values in the bar chart on the other hand....

Any further ideas still welcome,
Elmar

0 Karma
Highlighted

Re: How to use fields as tokens in scheduled report emails, but not in visualizations?

SplunkTrust
SplunkTrust

Seems to me if you're using the ...|sendemail command, you should be able to pass tokens to it with map command.

mainSearch .... | ... | map search="|sendemail subject='$tokenFromMainSearch$'"

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Map

0 Karma