- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Attempting to use sendemail from dashboard if Chec...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attempting to use sendemail from dashboard if Checkbox is checked, and e-mail textbox is not null
I have created a dashboard consisting of five panels, and I have updated a panel so that an e-mail can be sent when the search for the panel completes. One panel works sporadically, the second doesn't. I am running Splunk version 6.5.0
The dashboard has three inputs for all panels
(1) Time
(2) Dropdown - This is populated with the Hostnames of devices of a specific device type that have sent syslog messages to Splunk within the time window specified in the Time input.
(3) Text - The token name is "emailAddr" with empty Default and Initial values. The Token Suffix is "@domain.name"
The the panel I am attempting to allow for the option to e-mail the results from is configured as follows:
(1) The panel displays events.
(2) Two panel inputs:
(2a) Text - Free form text input with the token "Filter" and a default value of *
(2b) Checkbox - The token is "SendReport" and when checked it contains the sendmail command "| sendemail to $emailAddr$ ..."
(3) The Panels search command is: eventttype=firewall AND $Filter$ $SendReport$
Behaviour:
- The panel with default values will not produce any results in the Event Window. If I remove $SendReport$ from the panel search string the panel with default values consistently returns results in the Event Window.
- If I check (enable) the checkbox with $SendReport$ restored to the panel search string, I get results in the Event Window, but there is a red triangle in the Title line that reads command="sendemail", {} while sending mail to: and I do not receive an e-mail.
- I add my username to the Dashboard text input
- I uncheck the Send email checkbox and the Event Window, the panel's search report "Search is waiting for input..."
- I check the Send e-mail checkbox and the Event Window is populated with results, but no e-mail is sent and the red triangle appears in the Title line, repeating the message identified above. (command=)
To confirm the search is syntactically correct, I expanded the token values (with real values, not the sample values) and this works.
eventtype=firewall AND 192.168.1.1 | sendemail to=user@domain.name subject="Dashboard Report" paperorientation="landscape" papersize="letter" width_sort_columns="true" sendresults="true" server="smtp.domain.name"
Any idea how I can fix the following conditions:
- Display results when the Send email checkbox is unchecked.
- Successfully send e-mail when the Send email
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It REALLY helps to see your XML. Try something like this:
<form>
<label>Show Hide Using checkbox</label>
<fieldset submitButton="false">
<input type="checkbox" token="emailORnot" searchWhenChanged="true">
<choice value="emailORnot">Email Results?</choice>
</input>
</fieldset>
<row>
<panel>
<table depends="$emailORnot$">
<search>
<query>index=_internal | stats count BY sourcetype | sendemail to="user@domain.name" subject="Dashboard Report" paperorientation="landscape" papersize="letter" width_sort_columns="true" sendresults="true" server="smtp.domain.name"</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
</table>
</panel>
<panel>
<table rejects="$emailORnot$">
<search>
<query>index=_internal | stats count BY sourcetype</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</form>
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
