Reporting

Removing time stamp from the emailed csv file

ECovell
Path Finder

Hello fellow Splunkers,
After we updated to the newest version of Splunk ( 6.4) I am seeing the change in my csv's that are being e-mailed out
ex. RT_Snort_Signature_Check_v3-2016-08-09.csv

I have been looking in /splunk/etc/apps/search/bin/sendemail.py

is this the right area to look in?
Any help will be very appreciated.

Thanks,
Ernie

0 Karma

ECovell
Path Finder

If anyone is interested in the work around, here is what support sent to me:

Change line #994 in .../etc/apps/search/bin/sendemail.py from:
fileName = alertActions.get('reportFileName', None)
to:
fileName = ssContent.get("action.email.reportFileName")

0 Karma

ECovell
Path Finder

Here is what I found to work.

Instead of working through the sendemail.py, go to the advanced settings for the search in question;
scroll down until you see action.email.reportFileName
the field there reset after the upgrade to: $name$-$time:%Y-%m-%d$
remove the time stamp section and the change the name back to the previous settings, and life is good!

0 Karma

RicoSuave
Builder

I downvoted this post because it sucks. the actual attribute lives in alert_actions.conf and is called reportfilename

0 Karma

ECovell
Path Finder

Actually there was a bug and a temporary fix was just sent to me, and it was in /etc/apps/search/bin/sendmail.py. So, if you could please remove the down vote.. and I was going with what I could find in the previous parts of the thread.

0 Karma

ECovell
Path Finder

I am looking to remove the time stamp at the end of the csv file

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How are you creating the CSV file?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ECovell
Path Finder

The CSV files are saved searches that are sent to our ticketing system. The tickets are then sent to outlook and run through a macro to make them easier to work with. Before I upgraded the search head everything was working well, I figure something must have changed do to the resent upgrade.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What version did you upgrade from?
What does the saved search look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ECovell
Path Finder

We upgraded from 6.3.3 to 6.4

As far as what the search looks like are you asking for the search from Splunk? The output to Outlook?

Before the upgrade the file would look like this when I received it in Outlook: splunk-results.csv
After the upgrade the file now has a time stamp trailing the file name and the name changed as well:
RT_Snort_Signature_Check_v3-2016-08-09.csv

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since these are Splunk boards, we should look at how Splunk is generating the CSV file that goes to the ticketing systems. Other parts of the workflow can be discussed in other forums.

What is the saved search that produces the CSV file? The final outputcsv command is the most interesting part.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ECovell
Path Finder

The CSV is generated by the send email function in Splunk, you can either set the function to send a saved alert in the email or as an attachment CSV. The reports that are sent in the emails have not been affected, just the ones where we have chosen to send as an attachment.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't have experience with sendemail. It appears as though the attachment name is built using the saved search name. Wouldn't advise trying to change it as that would entail mucking around in Splunk's code (which can change in future releases) and could have unfortunate side effects.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ECovell
Path Finder

Thank you for trying to help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...