Dashboards & Visualizations

How to include earliest and latest times in scheduled PDF delivery?

naty
Path Finder

Hi,

i have a dashboard that i want to send me a PDF every week.
that i can do, but i want to know if there is a way to dynamically change the subject of the mail.

i would like the mail to include the dates of last week.
for example, the subject of the mail would be:
Splunk Weekly: 19/2 - 26/2

but the "19/2 - 26/2" would change for every week.

out Splunk version is 6.5.1.

can it be done?

woodcock
Esteemed Legend

Try adding | addinfo | rename info_* AS _info_*. Then you can use $result._info_earliest$ and $result._info_latest$.

mlevsh
Builder

@woodcock , we have the same task as the author of this post: to add current date to Email subject of Scheduled PDF delivery. I was going through answers and came across this Post's discussion.

$results.$ tokens do not seem to work with dashboard metadata 😞

0 Karma

woodcock
Esteemed Legend

Are you talking about drilldown?

0 Karma

mlevsh
Builder

@woodcock , I'm talking about Scheduling PDF delivery of Dashboards.
The below document clearly states Job information tokens and Search results tokens are not supported for Scheduled PDF Delivery for Dashboards:
https://docs.splunk.com/Documentation/Splunk/7.0.13/Alert/EmailNotificationTokens

Category, Context: Alert Actions, Context: Scheduled Reports, Context: Scheduled PDF delivery
Search metadata, Yes, Yes, Yes
Search results, Yes, Yes, No
Job information, Yes, Yes, No
Server information, Yes, Yes, Yes
Dashboard information, No, No, Yes

0 Karma

swmishra_splunk
Splunk Employee
Splunk Employee

$job.earliestTime$ and $job.latestTime$ are both job information tokens and they do not work with Dashboards Scheduled PDF Delivery.If you schedule a PDF Report it works but with Dashboards Job information tokens doesn't work.

The above tokens gives information about specific search jobs and a Dashboard is made up of multiple Reports which in turn has multiple searches.So it cannot extract specific search job information. Because of which we are getting some weird results.

The below document clearly states Job information tokens are not supported for Scheduled PDF Delivery for Dashboards.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/DashboardPDFs#Tokens_available_for_email_notif...

my4wd
Engager

I have been having the same issue. I have not been able to solve it. It may not be possible. If you think about it, a dashboard can have multiple searches, which could have different search periods. So the dashboard itself does not really have a "start time" or earliest.
It would be good to have a way to set tokens in the dashboard, that are available to the email. We are on splunkcloud, and the default schedule creates a default email template with subject "Splunk Dashboard: '$dashboard.label$' Which is an undocumented token as far as I can see. Are there others that are useful??? If you can dynamically set the dashboard label to the search period in the XLM, then it should be available.

I can confirm that I also tried the job.earliestTime and have the same result as you. It is not related to having ALL TIME set for the search.

woodcock
Esteemed Legend

According to this documentation, email supports the job tokens:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/DashboardPDFs#Tokens_available_for_email_notif...

Those should include theses (among others):

$job.earliestTime$: Initial job start time.
$job.latestTime$: Latest time recorded for the search job.
$job.resultCount$: Number of results a search job returned.
$job.runDuration$: Time, in seconds, for the search to complete.
$job.messages$: List of error and/or debug messages generated by the search job.

naty
Path Finder

@wookcock - Thank you!
I actually saw these tokens, but they go half way.
this is their output:
1970-01-01T02:00:00.000+02:00
2017-02-27T15:15:48.000+02:00

the job.latestTime is working actually great, but the earliestTime isn't.
if i could get those to work, and get only the day and month in a format of my desire that would resolve my case 🙂

0 Karma

woodcock
Esteemed Legend

You are clearly running a search for All Time. So run a "smarter" search with a more appropriate timepicker value and you should be good-to-go.

0 Karma

cmerriman
Super Champion

It does say that Job Information is available in the context of "Alert actions from search" and "Scheduled reports" so it may be why earliestTime is giving you trouble? I'm not sure it's going to give you what you want. Initial time a search job starts, to me, sounds like "I started this search at 3/1/2017 10:10 am" not "The week started on 2/27/2017" and the latest time recorded for the search job sounds like the timestamp the search finished. I could be wrong though.

Token   Description
$job.earliestTime$  Initial time a search job starts.
$job.eventSearch$   Subset of the search that contains the part of the search before any transforming commands.
$job.latestTime$    Latest time recorded for the search job.
$job.messages$  List of error and debug messages generated by the search job.
$job.resultCount$   Number of results returned by the search job.
$job.runDuration$   Time, in seconds, that the search took to complete.
$job.sid$   Search ID.
$job.label$ Name given to the search job.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Report/Schedulereports#Use_tokens_in_scheduled_rep...

0 Karma

cmerriman
Super Champion

For dashboards, I don't think you can access the earliest and latest time tokens for emails.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/DashboardPDFs#Tokens_available_for_email_notif...

When I have a PDF generated, the date of generation is in the attachement name and then I also have the date range as an HTML panel inside the PDF at the top. That was my workaround.

DalJeanis
SplunkTrust
SplunkTrust

Seems like an good enhancement to request.

0 Karma

naty
Path Finder

@cmerriman - Thank you for the workaround!
this is actually a good idea, but my superiors have a good time, they see the date range in the mail subject 🙂
i will check if that's possible though

@DalJeanis - this might be stupid to ask, but is there really a way to request future enhancements?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...