I guess that you could do it via a script (even independent of splunk) that runs at, say 06.00, and picks the four files as attachments (since the filenames/paths are known).
you could outputcsv the 4 results, then have a 5th search that append all the csv togethers and email the result.
example with 2 searches generating a unique csv per search : (erasing the previous day result eachtime)
<mysearch1> | table fieldA fieldB | outputcsv resultsearch1.csv
<mysearch2> | table fieldA fieldB | outputcsv resultsearch2.csv
then the alert regrouping all the results (to be scheduled to run after)
|inputcsv resultsearch1.csv | append [ inputscsv resultsearch2.csv ] | table fieldA field B
Thanks YannK - I had considered this but each csv must remain separate as each is showing different results
Thanks, I was quite sure this would be the solution - I just wanted to check if there was a way I could do it using a scheduled search. Can you put your comment as an answer and I will considered the question answered? Thanks for the quick reply 🙂
I guess that you could do it via a script (even independent of splunk) that runs at, say 06.00, and picks the four files as attachments (since the filenames/paths are known).