Splunk Search

How to use fields as tokens in scheduled report emails, but not in visualizations?

el_ster
Explorer

Dear experts,

I defined the below mentioned pivot to generate a monthly report of the most frequently used URL paths on a web server. In the email sent by the scheduled report, I would like to show the name of the month and current year. My idea is to use the auto-extracted fields date_month and date_year as tokens in the email ( $report.date_month$, $report.date_year$). It is acceptable to show these two attributes in the statistics part of the report, but not in the visualization part (a bar chart). Is there any way to make these two fields invisible in the chart?

Also other approaches to accomplish the functionality are welcome!

| pivot WebServer_KPIs Bandwith sum(bytes_out) AS "Bandwith/bytes" first(date_month) AS "Month" min(date_year) AS "Year" SPLITROW application_name AS Apps TOP 10 sum(bytes_out) ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

Thanks and br,
Elmar

0 Karma

jkat54
SplunkTrust
SplunkTrust

Make 2 searches... one powers the dashboard and one sends email notifications.

Or, send 2 emails... one for each desired output.

Or, make a dashboard with both searches. One search is data table and has fields you're looking for... next search is visualization with | fields - field1 field2 or otherwise discard/dont use the fields. Then schedule PDF delivery...

0 Karma

el_ster
Explorer

Hi, thanks for your answer. Scheduling PDF delivery for a whole dashboard is a promising approach. However, the requirement is to send a bar chart as email notification with month and year of the previous month search in the email subject but not visible in the bar chart. For me, it looks like other than for reports it is not possible to use search result fields as email tokens, right? So I am not yet able to enter the month and year values related to the previous month search into the email subject on the one hand without showing these two values in the bar chart on the other hand....

Any further ideas still welcome,
Elmar

0 Karma

jkat54
SplunkTrust
SplunkTrust

Seems to me if you're using the ...|sendemail command, you should be able to pass tokens to it with map command.

mainSearch .... | ... | map search="|sendemail subject='$tokenFromMainSearch$'"

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Map

0 Karma

woodcock
Esteemed Legend

I would not use the built-in fields at all; they are not what you think they are. Read this:

https://answers.splunk.com/answers/243017/counting-the-total-number-of-days-for-all-time.html

0 Karma

el_ster
Explorer

Hello,

Thank you for the interesting hint. However, even if I use some self-defined fields instead of the built-in ones, this still does not solve my problem how to use those as email tokens without displaying them in the related bar chart.

So any further suggestions how to solve the actual problems are still welcome 🙂

Thanks and br,
Elmar

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...