Is there any way to dynamically configure email ou...

Haybuck15 · ‎04-30-2019

We have a report that runs every 24 hours for each of our four sites, and we can't cluster two of the sites together for logistical purposes. For the purposes of this question, let's call them "siteA", "siteB", "siteC", and "siteD".

Our security team has a requirement that this report contain the site name in the subject line, currently this is accomplished by hard coding the site name into four different apps managed from the Deployment Server, however this is quickly becoming unmanageable.

Each Splunk Server contains the site name in the server's hostname. EX: "siteA-searchHead01"

What I'm looking to do here is find a way to configure the emailed out reports to dynamically take the first stanza of the hostname of the server it's run from (everything before the "-" in the above example), and stick that portion of the $server.serverName$ token in the subject line.

If this were outputting as a result in the report I could just use a Job token, however I can't forcibly add this to the report, as these reports go out as PDFs to Auditors, and we need to keep them to just the information currently displayed; an extraneous field would look severely unprofessional.

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

woodcock · ‎04-30-2019

Like this:

... | append [
| rest/services/authentication/users splunk_server=local
| dedup splunk_server
| table splunk_server
| lookup dnslookup clienthost AS splunk_server
| lookup dnslookup clientip AS clientip
| rename * AS _* ]

Then you can use $results._splunk_server$ , etc.

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

python

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update