Reporting

Take csv outputs from multiple searches and send in email

rlautman
Path Finder

I have 4 separate searches that run nightly and each produces a csv output which is sent via email - is it possible to take each of these separate csvs and, keeping them as separate files, send them together in one email?

0 Karma
1 Solution

kristian_kolb
Ultra Champion

I guess that you could do it via a script (even independent of splunk) that runs at, say 06.00, and picks the four files as attachments (since the filenames/paths are known).

View solution in original post

yannK
Splunk Employee
Splunk Employee

you could outputcsv the 4 results, then have a 5th search that append all the csv togethers and email the result.

example with 2 searches generating a unique csv per search : (erasing the previous day result eachtime)

<mysearch1> | table fieldA fieldB | outputcsv resultsearch1.csv

<mysearch2> | table fieldA fieldB | outputcsv resultsearch2.csv

then the alert regrouping all the results (to be scheduled to run after)

|inputcsv resultsearch1.csv | append [ inputscsv resultsearch2.csv ] | table fieldA field B

rlautman
Path Finder

Thanks YannK - I had considered this but each csv must remain separate as each is showing different results

0 Karma

rlautman
Path Finder

Thanks, I was quite sure this would be the solution - I just wanted to check if there was a way I could do it using a scheduled search. Can you put your comment as an answer and I will considered the question answered? Thanks for the quick reply 🙂

0 Karma

kristian_kolb
Ultra Champion

I guess that you could do it via a script (even independent of splunk) that runs at, say 06.00, and picks the four files as attachments (since the filenames/paths are known).

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...