Topics

| pdf version

About the Splunk Admin Manual

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Customize alert options

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Customize alert options

Edit alert_actions.conf to specify the message subject and from address used for alert emails. For more information on configuration files in general, see how configuration files work.

Note: Email must be enabled on your Splunk server to send alerts. Or you can specify another email server, but your Splunk server must be able to connect to it.


Configuration

Add a stanza to alert_actions.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.

Global settings

Global options: these settings do not need to be prefaced by a stanza name. If you do not specify an entry for each attribute, Splunk will use the default value.

maxresults = <int>

  • Set the global maximum number of search results sent via alerts.
  • Defaults to 100.

hostname = <string>

  • Set the hostname that is displayed in the link sent in alerts.
  • This is useful when the machine sending the alerts does not have a FQDN.
  • Defaults to current hostname (set in Splunk) or localhost (if none is set).

Email

Configure email options for alerts. Preface email settings with the [email] stanza name.

[email]

  • Set email notification options under this stanza name.
  • Follow this stanza name with any number of the following attribute/value pairs.
  • If you do not specify an entry for each attribute, Splunk uses the default value.

from = <string>

  • Email address originating alert.
  • Defaults to splunk@<splunk-hostname>.

subject = <string>

  • Specify an alternate email subject.
  • Defaults to SplunkAlert-<savedsearchname>.

format = <string>

  • Specify the format of text in the email.
  • Possible values: plain, html, raw and csv.
  • This value will also apply to any attachments.

inline = <true | false | auto>

  • Specify whether the search results are contained in the body of the alert email.
  • Defaults to false.

mailserver = <string>

  • The SMTP mail server to use when sending emails.
  • Defaults to localhost.

Example

The following example alert_actions.conf sets e-mail options for alerts. 

[email]
from = alert@mysplunk.com
subject = daily log review
format = plain

RSS

[rss]

  • Set rss notification options under this stanza name.
  • Follow this stanza name with any number of the following attribute/value pairs.
  • If you do not specify an entry for each attribute, Splunk uses the default value.

items_count = <number>

  • Number of saved RSS feeds.
  • Cannot be more than maxresults (in [email] stanza).
  • Defaults to 30.
Retrieved from "http://www.splunk.com/base/Documentation/3.3/Admin/CustomizeAlertOptions"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.