Solved: Why is sendalert not working with makeresults?

uchoavaz · ‎08-11-2022

Hello!

I am trying to use makeresults + eval inside a sendalert parameters, but it doesn't return what i need. Follow the example:

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" param.file_name=[|makeresults | eval filename=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | return $filename]

the file is created but with a default name "test_20220811.csv".

What am i doing wrong in the search?

Thanks

ITWhisperer · ‎08-11-2022

Try something like this

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" [|makeresults | eval "param.file_name"=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | fields 'param.file_name' | format "" "" "" "" "" ""]

View solution in original post

ITWhisperer · ‎08-11-2022

Try something like this

index=client1 sourcetype=report_case source=splunk-hf | table action_date	case_post_date	action_taken	arn	scheme_case_number	client_internal_id	uuid	acquirer_case_number | sendalert s3_upload param.bucket_name="bucket_name" param.file_format="csv" [|makeresults | eval "param.file_name"=strftime(now(), "filename-PreviousDay_%Y_%m_%d_%H_%M_%S") | fields 'param.file_name' | format "" "" "" "" "" ""]

Why is sendalert not working with makeresults?

eval

search job inspector

subsearch

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann