Solved: Re: Send an Email for each lookup .csv processed.

JMPP

Hi Splunk Community team,

Please help:

I have N number of lookup lk_file_abc3477.csv, lk_file_xare000csv, lk_file_ppbc34ee.csv, etc.... files.

I have a splunk search/script that will be processing the same data type and same number of columns and my question is, is there any way to process each file and send an email for each individually, using Reports or Alerts option or any other way in one single execution?

Regards,

yuanliu

I said this before, it's worth repeating: map is usually not the right tool. But in this case, it can help. You can do something like this:

| makeresults format=csv data="file
lk_file_abc3477.csv
lk_file_xare000csv
lk_file_ppbc34ee.csv"
| map search="inputlookup $lookup$
| stats values(duration_time) AS duration_time by path
| makemv delim="\n " duration_time
| eval duration_time=split(duration_time," ")
| stats p90(duration_time) as "90th percentile (sec)" by path
| sort path
| sendmail someone@example.com"

View solution in original post

yuanliu

I said this before, it's worth repeating: map is usually not the right tool. But in this case, it can help. You can do something like this:

| makeresults format=csv data="file
lk_file_abc3477.csv
lk_file_xare000csv
lk_file_ppbc34ee.csv"
| map search="inputlookup $lookup$
| stats values(duration_time) AS duration_time by path
| makemv delim="\n " duration_time
| eval duration_time=split(duration_time," ")
| stats p90(duration_time) as "90th percentile (sec)" by path
| sort path
| sendmail someone@example.com"

JMPP

Hi,

Your response was the key to make the idea I had happened. I have to made some changes to the query.

Since I have a long file list, I decided to list them with "| rest" command, then I was getting wildcard issues and I had to make macros to overcome that problem.

Now I working with the Splunk admin team because I am getting the error below casuse by "| sendemail" and it is caused by a missing admin access:
[map]: command="sendemail", 'rootCAPath' while sending mail to: jpichardo@jaggaer.com

I cannot use "| sendresults" command because the version we have does not support it.
| rest /servicesNS/-/-/data/lookup-table-files f=title
splunk_server=local ```To avoid the "you do not have the "dispatch_rest_to_indexers" capability" warning```
| fields title
| search title="lk_file*.csv"
| dedup title
| map maxsearches=9999 search="inputlookup $title$ |eval filename=$title$
| search path!=`macroDoubleQuotation`
| stats values(duration_time) AS duration_time by path filename
| `macroMakemvNewLineDelimeter` duration_time
| eval duration_time=`macroSplitSpace`
| `macroPerformanceP90`
| sort path
| `macroSendMailPerformanceSlaList`

Thanks so much for help me with!!!.

Regards,

JMPP

Hi @livehybrid

The goal is a single execution of the search/query below for each file e.g.: lk_file_abc3477.csv, lk_file_xare000csv, lk_file_ppbc34ee.csv, etc.. and send an email for each of them individually.

| inputlookup lk_file_abc3477.csv
| stats values(duration_time) AS duration_time by path
| makemv delim="\n " duration_time
| eval duration_time=split(duration_time," ")
| stats p90(duration_time) as "90th percentile (sec)" by path
| sort path

Regards

livehybrid

Hi @JMPP

What is your search doing? Without seeing its not completely clear but if you have a scheduled search running to manipulate these csv files then you could have that trigger an email alert action on completion of the search.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Send an Email for each lookup .csv processed.

lookup

other

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?