Reporting

Report is creating multiple emails instead of one

mlevsh
Builder

We have a report (NOT an alert) that has multiple events as a result of some specific search.
It is scheduled to run every hour and email result of a search.
Instead of the report sending the entire report in one email, it sends an email for each event result

For example:
Result of search on Report via GUI :
user1 locked
user2 locked
user3 locked

Report sends 3 emails with "user# locked" in the body of email

Is there any way to make it to send one email with all events on the result without converting it to an alert?

Thank you

Labels (1)
0 Karma
1 Solution

mlevsh
Builder

We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

View solution in original post

mlevsh
Builder

We used Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

christopherreed
Engager

It took a couple of tries for the value to actually set, but once it did it worked perfectly. I needed everything to be sent separately so I set it to false.

0 Karma

p_gurav
Champion

Hi,

This may help you:
https://answers.splunk.com/answers/586680/report-creates-multiple-emails-looking-for-single.html

Also try using sendemail command in search, then schedule report. Refer below command doc:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Sendemail

0 Karma

mlevsh
Builder

@p_gurav
Saw the Q&A at the first link , but it is not really clear what to do. The screen shot is not available on the page , the text advice "-Always in Condition, -Once per search in Alert Mode" doesn't explain what should be changed . For example, there is no alert_mode in Advanced edit of report.

0 Karma

p_gurav
Champion

Can you trysendmail command in search itself.

0 Karma

mlevsh
Builder

@p_gurav, I think we can use Settings-> Searches, reports, and alerts -> Advanced Edit on Report -> change "alert.digest_mode" from “false” to “true” . It seems to have fixed our issue. At least, for my test.

I compared regular Alert's settings with "Trigger" set to "Once" and "Alert Trigger" set to "For each result" and found that alert.digest_mode is corresponding to Alert Trigger value. On the report that produced multiple emails, alert.digest_mode was set to "false". After changing it to "true" I got just one email

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...