Splunk Dev

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Haybuck15
Explorer

We have a report that runs every 24 hours for each of our four sites, and we can't cluster two of the sites together for logistical purposes. For the purposes of this question, let's call them "siteA", "siteB", "siteC", and "siteD".

Our security team has a requirement that this report contain the site name in the subject line, currently this is accomplished by hard coding the site name into four different apps managed from the Deployment Server, however this is quickly becoming unmanageable.

Each Splunk Server contains the site name in the server's hostname. EX: "siteA-searchHead01"

What I'm looking to do here is find a way to configure the emailed out reports to dynamically take the first stanza of the hostname of the server it's run from (everything before the "-" in the above example), and stick that portion of the $server.serverName$ token in the subject line.

If this were outputting as a result in the report I could just use a Job token, however I can't forcibly add this to the report, as these reports go out as PDFs to Auditors, and we need to keep them to just the information currently displayed; an extraneous field would look severely unprofessional.

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Labels (1)
0 Karma

woodcock
Esteemed Legend

Like this:

... | append [
| rest/services/authentication/users splunk_server=local
| dedup splunk_server
| table splunk_server
| lookup dnslookup clienthost AS splunk_server
| lookup dnslookup clientip AS clientip
| rename * AS _* ]

Then you can use $results._splunk_server$, etc.

0 Karma
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...