Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Haybuck15
Explorer
‎04-30-2019 08:04 AM

We have a report that runs every 24 hours for each of our four sites, and we can't cluster two of the sites together for logistical purposes. For the purposes of this question, let's call them "siteA", "siteB", "siteC", and "siteD".

Our security team has a requirement that this report contain the site name in the subject line, currently this is accomplished by hard coding the site name into four different apps managed from the Deployment Server, however this is quickly becoming unmanageable.

Each Splunk Server contains the site name in the server's hostname. EX: "siteA-searchHead01"

What I'm looking to do here is find a way to configure the emailed out reports to dynamically take the first stanza of the hostname of the server it's run from (everything before the "-" in the above example), and stick that portion of the $server.serverName$ token in the subject line.

If this were outputting as a result in the report I could just use a Job token, however I can't forcibly add this to the report, as these reports go out as PDFs to Auditors, and we need to keep them to just the information currently displayed; an extraneous field would look severely unprofessional.

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-30-2019 09:05 PM

Like this:

... | append [
| rest/services/authentication/users splunk_server=local
| dedup splunk_server
| table splunk_server
| lookup dnslookup clienthost AS splunk_server
| lookup dnslookup clientip AS clientip
| rename * AS _* ]

Then you can use $results._splunk_server$, etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...