Splunk Dev

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Haybuck15
Explorer

We have a report that runs every 24 hours for each of our four sites, and we can't cluster two of the sites together for logistical purposes. For the purposes of this question, let's call them "siteA", "siteB", "siteC", and "siteD".

Our security team has a requirement that this report contain the site name in the subject line, currently this is accomplished by hard coding the site name into four different apps managed from the Deployment Server, however this is quickly becoming unmanageable.

Each Splunk Server contains the site name in the server's hostname. EX: "siteA-searchHead01"

What I'm looking to do here is find a way to configure the emailed out reports to dynamically take the first stanza of the hostname of the server it's run from (everything before the "-" in the above example), and stick that portion of the $server.serverName$ token in the subject line.

If this were outputting as a result in the report I could just use a Job token, however I can't forcibly add this to the report, as these reports go out as PDFs to Auditors, and we need to keep them to just the information currently displayed; an extraneous field would look severely unprofessional.

Is there any way to dynamically configure email output tokens through Python similar to custom commands, or some other method?

Labels (1)
0 Karma

woodcock
Esteemed Legend

Like this:

... | append [
| rest/services/authentication/users splunk_server=local
| dedup splunk_server
| table splunk_server
| lookup dnslookup clienthost AS splunk_server
| lookup dnslookup clientip AS clientip
| rename * AS _* ]

Then you can use $results._splunk_server$, etc.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...