This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Edit alert_actions.conf to specify the message subject and from address used for alert emails. Use the $SPLUNK_HOME/etc/bundles/README/alert_actions.conf.example as an example, or create your own alert_actions.conf. Make any changes in $SPLUNK_HOME/etc/bundles/local/, or your own custom bundle directory. For more information on configuration files in general, see how configuration files work.
[email] # from email address from=splunk@splunkalerts.com # subject of the email subject=Splunk Results
To make additional customizations, edit sendemail.py in $SPLUNK_HOME/etc/searchscripts/. This is called for each alert, must be named sendemail.py and will be overwritten on upgrade. Save a copy of your changes in a safe location for future reference.
Note: Keep a backup copy of the original version of the script so you can revert to it in the event of a problem. Test your changes carefully. For more information on the Python language, see http://www.python.org.
The mail() function, called by splunkd for each alert email, formats and sends the message using arguments specified in alert_actions.conf and internal defaults. Modify the location of the mail server or the contents of the message header by changing the value of the variables defined at the top of the function:
serverURL = argvals.get("server", "localhost")
sender = argvals.get("from", "splunk@" + socket.gethostname())
to = argvals.get("to", None)
cc = argvals.get("cc", None)
bcc = argvals.get("bcc", None)
subject = argvals.get("subject", "Splunk Results")
format = argvals.get("format", "html")
importance= argvals.get("priority", None)
Note: To change the format of the email, the variable bodytext contains the text of the message body, including search results.