Solved: Why is sendalert not working with makeresults?

uchoavaz · ‎08-11-2022

Hello!

I am trying to use makeresults + eval inside a sendalert parameters, but it doesn't return what i need. Follow the example:

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" param.file_name=[|makeresults | eval filename=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | return $filename]

the file is created but with a default name "test_20220811.csv".

What am i doing wrong in the search?

Thanks

ITWhisperer · ‎08-11-2022

Try something like this

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" [|makeresults | eval "param.file_name"=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | fields 'param.file_name' | format "" "" "" "" "" ""]

View solution in original post

ITWhisperer · ‎08-11-2022

Try something like this

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" [|makeresults | eval "param.file_name"=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | fields 'param.file_name' | format "" "" "" "" "" ""]

Why is sendalert not working with makeresults?

eval

search job inspector

subsearch

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!