I have a dashboard that I want to send an e-mail when the search finishes. When I do the search in the search dashboard, all works fine. When I do the search in the dashboard, I get several copies of the e-mail.
Has anyone experienced this and is there a way to fix this behavior?
Try changing it to a savedsearch and referring to that report instead of using an inline search. As a panel it could be getting reloaded or loaded by a few folks or in a few tabs.
a saved search would work as does each panel with its own search. The problem is in my original problem I have 4 panels using the a base search and this is the case where I get multiple e-mails.
Oh! This is a post-processing situation? Hook us up with the whole page so we get the full context and we'll see what we can do. Fair? The snippet you provided earlier seems like a one panel page. Or maybe I've just gotten confused on the problem.
<dashboard>
<label>test sendemail</label>
<row>
<panel>
<title>inline search</title>
<table>
<search>
<query>| metasearch index=* OR index=_*
| stats count by index, host
| sendemail to="me@domain.com" sendcsv=false subject="index host"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<search id="base">
<query>| metasearch index=* OR index=_*
| stats count by index, host
| fields count index host
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<row>
<panel>
<title>post search host</title>
<table>
<search base="base">
<query>
| stats sum(count) as count by host
| sendemail to="me@domain.com" sendcsv=false subject="post host"
</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>post search index</title>
<table>
<search base="base">
<query>
| stats sum(count) as count by index
| sendemail to="me@domain.com" sendcsv=false subject="post index"
</query>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
Thank you for sharing the full page. The only other things I would test it I were you is if that behavior changes on different releases (in case it's a bug that was addressed) and if btool shows that the alert_actions.conf has some settings in it causing silliness.
All that said, I'm pessimistic those will produce promising answers for you so I'd suggest opening a support case since it appears feature/functionality is not working as documented. Make sure to outline the key points of this thread so as to expedite your case by reducing support's interest in asking questions we addressed here.
@fk319, the above dashboard has three sendemail
searches. If you get three email each time dashboard loads (refreshes), then that is expected behavior. What is the behavior that you are seeing?
That would be expected, but I am getting 10-12 e-mails.
@fk319,
Can you try with the following tstats
based SPL:
<search>
<query>| tstats count WHERE index=* OR index=_* BY index, host
| sendemail to="abc@def.com" subject="index host" sendcsv=false sendresults=true
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
You can also try another option to enable schedule PDF delivery
of Dashboard via email instead of sendemail command, so that emails are sent out as per predefined schedule(frequency), rather than an email everytune Dashboard is loaded.. You should configure Schedule PDF delivery
option following Splunk documenation: http://docs.splunk.com/Documentation/Splunk/latest/Report/GeneratePDFsofyourreportsanddashboards
Curious. Please post the dash code snippet for the search and for the email send.
<panel>
<title>inline search</title>
<table>
<search>
<query>| metasearch index=* OR index=_*
| stats count by index, host
| sendemail to="me@domain.com" sendcsv=false subject="index host"
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>