Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is our custom sendemail command not being called for a scheduled saved search?

chris
Motivator
‎11-07-2016 09:54 PM

Hi,

One of our users wants to have the results of a search split based on a field in the resultset and receive an email per subset of the original resultset.

I copied sendemail.py to that users app/bin dir, renamed and modified it. And I created a stanza in commands.conf of that app:

[sendemailsplit]
filename = sendemailsplit.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
is_risky = true

Sending emails calling the script using sendemailsplit directly from search works fine. I was hoping that by replacing the action.email.command value of a saved search, I will be able to use the modified command, but it is not getting called.

I just replaced the default Setting in savedsearch.conf which is:

$action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

with the new command

action.email.command = $action.email.preprocess_results{default=""}$ | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

Emails are still being sent when the search is scheduled, but python.log just shows that sendemail is being called instead of sendemailsplit.

What am I not getting/doing wrong? Oh and I did restart Splunk a couple of times by now ... if you need more info please let me know.
Regards
Chris

These are a couple of things i tried since posting:

  • Rename the command from sendemailsplit to sendemail -> the alert does not use the custom script
  • Changing request.ui_dispatch_app to different values -> the alert does not use the custom script
  • Adding the 2nd part of action.email.command to the search | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$" -> this yields errors when invoked from search but works when scheduled

So ok I have a work around but this is ugly. I'll leave the question open hoping that someone who knows how this works can help me.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎02-16-2017 01:39 PM

Not sure if you have managed to get this going, but what you need is an entry in a local alert_actions.conf
Something like:

cat $SPLUNK_HOME/etc/apps/my_app/local/alert_actions.conf


[email]

command     = $action.email.preprocess_results{default=""}$ | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

View solution in original post

Reply
Solved! Jump to solution
Solution

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎02-16-2017 01:39 PM

Not sure if you have managed to get this going, but what you need is an entry in a local alert_actions.conf
Something like:

cat $SPLUNK_HOME/etc/apps/my_app/local/alert_actions.conf


[email]

command     = $action.email.preprocess_results{default=""}$ | sendemailsplit splitfield="host" "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

Reply
Solved! Jump to solution

chris
Motivator
‎02-17-2017 02:16 AM

Thank you so much, this worked. I somehow missed that. Do you know what the meaning of the Parameter action.email.command is? It gets written to savedsearches.conf and can be set through the "Advanced edit" Action in the "Searches, reports, and alerts" View in the Splunk UI.

0 Karma
Reply
Solved! Jump to solution

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎02-17-2017 02:23 AM

I don't. I was just trying to implement a custom email command. Like you, I also found that changing action.email.command does nothing, but instead defaults to command in alert_actions.conf. I assume there must be some way to interact with it, but I can't figure out what that is...

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎02-17-2017 02:27 AM

Ok, thanks.

0 Karma
Reply
Solved! Jump to solution

timpacl
Path Finder
‎01-21-2021 11:58 AM

I know this is an old thread but would you be willing to share your python file? This is half of what I want to do. The other half is specify a field list that determines which fields go into the emailed results, either inline or attached, and in what order they appear. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...