Splunk Search

Why is sendalert not working with makeresults?

uchoavaz
Explorer

Hello!

I am trying to use makeresults + eval inside a sendalert parameters, but it doesn't return what i need. Follow the example:

 

 

 

 

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" param.file_name=[|makeresults | eval filename=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | return $filename]

 

 

 

 

 

the file is created but with a default name "test_20220811.csv".

What am i doing wrong in the search?

Thanks

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" [|makeresults | eval "param.file_name"=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | fields 'param.file_name' | format "" "" "" "" "" ""]

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" [|makeresults | eval "param.file_name"=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | fields 'param.file_name' | format "" "" "" "" "" ""]
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...