Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Send an Email for each lookup .csv processed.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunk Community team,
Please help:
I have N number of lookup lk_file_abc3477.csv, lk_file_xare000csv, lk_file_ppbc34ee.csv, etc.... files.
I have a splunk search/script that will be processing the same data type and same number of columns and my question is, is there any way to process each file and send an email for each individually, using Reports or Alerts option or any other way in one single execution?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I said this before, it's worth repeating: map is usually not the right tool. But in this case, it can help. You can do something like this:
| makeresults format=csv data="file
lk_file_abc3477.csv
lk_file_xare000csv
lk_file_ppbc34ee.csv"
| map search="inputlookup $lookup$
| stats values(duration_time) AS duration_time by path
| makemv delim="\n " duration_time
| eval duration_time=split(duration_time," ")
| stats p90(duration_time) as "90th percentile (sec)" by path
| sort path
| sendmail someone@example.com"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I said this before, it's worth repeating: map is usually not the right tool. But in this case, it can help. You can do something like this:
| makeresults format=csv data="file
lk_file_abc3477.csv
lk_file_xare000csv
lk_file_ppbc34ee.csv"
| map search="inputlookup $lookup$
| stats values(duration_time) AS duration_time by path
| makemv delim="\n " duration_time
| eval duration_time=split(duration_time," ")
| stats p90(duration_time) as "90th percentile (sec)" by path
| sort path
| sendmail someone@example.com"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Your response was the key to make the idea I had happened. I have to made some changes to the query.
Since I have a long file list, I decided to list them with "| rest" command, then I was getting wildcard issues and I had to make macros to overcome that problem.
Now I working with the Splunk admin team because I am getting the error below casuse by "| sendemail" and it is caused by a missing admin access:
[map]: command="sendemail", 'rootCAPath' while sending mail to: jpichardo@jaggaer.com
I cannot use "| sendresults" command because the version we have does not support it.
| rest /servicesNS/-/-/data/lookup-table-files f=title
splunk_server=local ```To avoid the "you do not have the "dispatch_rest_to_indexers" capability" warning```
| fields title
| search title="lk_file*.csv"
| dedup title
| map maxsearches=9999 search="inputlookup $title$ |eval filename=$title$
| search path!=`macroDoubleQuotation`
| stats values(duration_time) AS duration_time by path filename
| `macroMakemvNewLineDelimeter` duration_time
| eval duration_time=`macroSplitSpace`
| `macroPerformanceP90`
| sort path
| `macroSendMailPerformanceSlaList`
Thanks so much for help me with!!!.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @livehybrid
The goal is a single execution of the search/query below for each file e.g.: lk_file_abc3477.csv, lk_file_xare000csv, lk_file_ppbc34ee.csv, etc.. and send an email for each of them individually.
| inputlookup lk_file_abc3477.csv
| stats values(duration_time) AS duration_time by path
| makemv delim="\n " duration_time
| eval duration_time=split(duration_time," ")
| stats p90(duration_time) as "90th percentile (sec)" by path
| sort path
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JMPP
What is your search doing? Without seeing its not completely clear but if you have a scheduled search running to manipulate these csv files then you could have that trigger an email alert action on completion of the search.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
