Solved: Why is my scheduled report only returning one row...

bgwalters · ‎05-19-2017

I have a very simple search saved as a Scheduled E-mail Report. When I manually run the search it works as expected. The scheduled e-mail report only contains the first entry or I've also received separate e-mails each containing a row from the report.

The search string ends with | top limit=20 field_name_here Is there something I don't realize about the top command that would affect scheduled reports?

Thank you!

aakwah · ‎05-19-2017

Hello,

I suspect the Alert mode parameter in Alert definition, it could be: Once per search or Once per result.
Set it to Once per search and check the behavior, you can do from Web interface or from savedsearches.conf:

alert.digest_mode = True

Regards

View solution in original post

aakwah · ‎05-19-2017

Hello,

I suspect the Alert mode parameter in Alert definition, it could be: Once per search or Once per result.
Set it to Once per search and check the behavior, you can do from Web interface or from savedsearches.conf:

alert.digest_mode = True

Regards

bgwalters · ‎05-19-2017

How do I check the Alert definition for a Report via the web interface (6.5.2) ? I can't seem to find anything about "Alert" for this Report....

aakwah · ‎05-19-2017

Settings -> Searches, reports, and alerts -> Click the alert under Search name column -> Alert mode

ruchir · ‎05-19-2017

Is your Alert mode set as Once per result?
Can you share the search and other alert options you set in report?

cmerriman · ‎05-19-2017

try just |top 20 field_name_here

bgwalters · ‎05-19-2017

This did not help unfortunately. Same behavior.

Why is my scheduled report only returning one row using the top command?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms