Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Send all reports from last hour in an email

kirthi_d
Engager
‎05-17-2020 04:17 PM

Hello everyone,
current scenario:
Reports run every 15 minutes. The output are charts. We take screenshot of those reports and manually send email every one hour with screen shots from past hour. For instance at 10am, we send email with 4 screenshots from 9:00, 9:15, 9:30, 9:45.

My manager wants me to automate this. The reports from past hour should be saved and sent in a single email every hour. Please let me know if and how this can be achieved.

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-17-2020 04:52 PM 
index=_internal earliest=-1h@h
| bin _time span=15m
| eval time=strftime(_time,"%T")
| stats count by sourcetype time
| eval {time}=count
| fields - count
| sort time
| where strptime(time,"%T") < relative_time(now(),"@h")

this is sample.
use Viz >>column chart with trellis of time.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-17-2020 04:52 PM 
index=_internal earliest=-1h@h
| bin _time span=15m
| eval time=strftime(_time,"%T")
| stats count by sourcetype time
| eval {time}=count
| fields - count
| sort time
| where strptime(time,"%T") < relative_time(now(),"@h")

this is sample.
use Viz >>column chart with trellis of time.

0 Karma
Reply
Solved! Jump to solution

kirthi_d
Engager
‎05-17-2020 05:18 PM

Thanks to4kawa. This generates one single report. I need 4 instances of same report to be sent in one email. Is it possible to store results of a report in splunk and use it later?

For instance, "Sales Report" ran at 9am is saved as report1, the same "Sales Report" ran again at 9,15am saved as report2 and "Sales Report" ran at 9.30 saved as report3 and ran at 9.45 saved as report 4. And an email triggered at 9.45 with report1 through report4 either attached or displayed in the body?

Appreciate your help

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-17-2020 05:33 PM

It's impossible by only splunk.

so, I make the query to display 4 chart.

0 Karma
Reply
Solved! Jump to solution

kirthi_d
Engager
‎05-17-2020 06:31 PM

Thought so too. Wanted to confirm with experts before saying No. Thanks again.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-17-2020 06:37 PM

If there were four graphs, wouldn't the boss be convinced?

I hope it works out for you. please accept and close your question.

0 Karma
Reply
Solved! Jump to solution

kirthi_d
Engager
‎05-17-2020 08:29 PM

I see what you mean, I can generate 4 reports and put in dashboard and schedule to email that. That could work. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...