Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is our custom sendemail command not being called for a scheduled saved search?

chris
Motivator
‎11-07-2016 09:54 PM

Hi,

One of our users wants to have the results of a search split based on a field in the resultset and receive an email per subset of the original resultset.

I copied sendemail.py to that users app/bin dir, renamed and modified it. And I created a stanza in commands.conf of that app:

[sendemailsplit]
filename = sendemailsplit.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
is_risky = true

Sending emails calling the script using sendemailsplit directly from search works fine. I was hoping that by replacing the action.email.command value of a saved search, I will be able to use the modified command, but it is not getting called.

I just replaced the default Setting in savedsearch.conf which is:

$action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

with the new command

action.email.command = $action.email.preprocess_results{default=""}$ | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

Emails are still being sent when the search is scheduled, but python.log just shows that sendemail is being called instead of sendemailsplit.

What am I not getting/doing wrong? Oh and I did restart Splunk a couple of times by now ... if you need more info please let me know.
Regards
Chris

These are a couple of things i tried since posting:

  • Rename the command from sendemailsplit to sendemail -> the alert does not use the custom script
  • Changing request.ui_dispatch_app to different values -> the alert does not use the custom script
  • Adding the 2nd part of action.email.command to the search | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$" -> this yields errors when invoked from search but works when scheduled

So ok I have a work around but this is ugly. I'll leave the question open hoping that someone who knows how this works can help me.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎02-16-2017 01:39 PM

Not sure if you have managed to get this going, but what you need is an entry in a local alert_actions.conf
Something like:

cat $SPLUNK_HOME/etc/apps/my_app/local/alert_actions.conf


[email]

command     = $action.email.preprocess_results{default=""}$ | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

View solution in original post

Reply
Solved! Jump to solution
Solution

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎02-16-2017 01:39 PM

Not sure if you have managed to get this going, but what you need is an entry in a local alert_actions.conf
Something like:

cat $SPLUNK_HOME/etc/apps/my_app/local/alert_actions.conf


[email]

command     = $action.email.preprocess_results{default=""}$ | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

Reply
Solved! Jump to solution

chris
Motivator
‎02-17-2017 02:16 AM

Thank you so much, this worked. I somehow missed that. Do you know what the meaning of the Parameter action.email.command is? It gets written to savedsearches.conf and can be set through the "Advanced edit" Action in the "Searches, reports, and alerts" View in the Splunk UI.

0 Karma
Reply
Solved! Jump to solution

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎02-17-2017 02:23 AM

I don't. I was just trying to implement a custom email command. Like you, I also found that changing action.email.command does nothing, but instead defaults to command in alert_actions.conf. I assume there must be some way to interact with it, but I can't figure out what that is...

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎02-17-2017 02:27 AM

Ok, thanks.

0 Karma
Reply
Solved! Jump to solution

timpacl
Path Finder
‎01-21-2021 11:58 AM

I know this is an old thread but would you be willing to share your python file? This is half of what I want to do. The other half is specify a field list that determines which fields go into the emailed results, either inline or attached, and in what order they appear. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...