Hi at all,
I have the problem that, sometimes, some of my reports exceed the eMail attachment limits.
I could reduce the fields in report, but this isn't a good solution because, in this way, I don't satisfy the final customer and the problem could be still present.
I solved the problem by giving the customer the availability to manually run the report, but the customer wasn't fully satisfied.
Is there a way to compress (zip or tar) a report before sending it to the eMail system?
I think that this is an important feature and that it's strange that nobody has implemented it in Splunk.
Bye.
Giuseppe
You can bypass email altogether and use scp
or other transfer method. Here is what I have done before. First, modify your search to end in | outputcsv MyBigHonkingFile_scpToFileShare.csv
. Then setup a cron job
on the Search Head to run every hour looking for files that match an arbitrary naming convention like, *_scpToFileShare.csv
inside of the $SPLUNK_HOME/var/run/splunk/dispatch/
directory. When a file is found, it is sent via scp
to the fileshare, then erased. No email necessary, or, if you like, an email that just says that the file was transferred. Cake.
Hi @cusello
Did any of the answers work for you? If they did please go ahead and accept it and if not let the community know if you need more help/clarification with the problem.
Thanks
You could try to use the "Run a Script" option in the Scheduled Report.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Report/Schedulereports#Run_a_script
You could setup a script that would compress the report and then email it via the server's mail application.
You can bypass email altogether and use scp
or other transfer method. Here is what I have done before. First, modify your search to end in | outputcsv MyBigHonkingFile_scpToFileShare.csv
. Then setup a cron job
on the Search Head to run every hour looking for files that match an arbitrary naming convention like, *_scpToFileShare.csv
inside of the $SPLUNK_HOME/var/run/splunk/dispatch/
directory. When a file is found, it is sent via scp
to the fileshare, then erased. No email necessary, or, if you like, an email that just says that the file was transferred. Cake.
Have you tried to go through the REST api?
http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/ExportdatausingRESTAPI
See if this helps your problem:
https://splunkbase.splunk.com/app/4030/
There are other email options. Try this app, for example.
https://splunkbase.splunk.com/app/2614/
The above suggestion by @woodcock was something I was looking for long time. Thanks @cusello cuand @woodcock
@woodcock provided what I would recommend as well.
I have to send a CSV file that is usually too large for eMail attachment, this App is only for pdf.
Is there another solution for csv than to create a script?
Bye.
Giuseppe
My solution bypasses email entirely. I think that you meant to put your comment under a different answer @cusello.
Hi cusello,
You can refer this answer and check if that helps!!:
https://answers.splunk.com/answers/140208/how-to-compress-csv-file-and-email-it-on-unix-platform.htm...
I'll try it.
Bye.
Giuseppe