I downvoted this post because it sucks. the actual attribute lives in alert_actions.conf and is called reportfilename

Actually there was a bug and a temporary fix was just sent to me, and it was in /etc/apps/search/bin/sendmail.py. So, if you could please remove the down vote.. and I was going with what I could find in the previous parts of the thread.

How are you creating the CSV file?

The CSV files are saved searches that are sent to our ticketing system. The tickets are then sent to outlook and run through a macro to make them easier to work with. Before I upgraded the search head everything was working well, I figure something must have changed do to the resent upgrade.

What version did you upgrade from?
What does the saved search look like?

We upgraded from 6.3.3 to 6.4

As far as what the search looks like are you asking for the search from Splunk? The output to Outlook?

Before the upgrade the file would look like this when I received it in Outlook: splunk-results.csv
After the upgrade the file now has a time stamp trailing the file name and the name changed as well:
RT_Snort_Signature_Check_v3-2016-08-09.csv

Since these are Splunk boards, we should look at how Splunk is generating the CSV file that goes to the ticketing systems. Other parts of the workflow can be discussed in other forums.

What is the saved search that produces the CSV file? The final outputcsv command is the most interesting part.

The CSV is generated by the send email function in Splunk, you can either set the function to send a saved alert in the email or as an attachment CSV. The reports that are sent in the emails have not been affected, just the ones where we have chosen to send as an attachment.

I don't have experience with sendemail. It appears as though the attachment name is built using the saved search name. Wouldn't advise trying to change it as that would entail mucking around in Splunk's code (which can change in future releases) and could have unfortunate side effects.

Thank you for trying to help.