Customizing alert options

Email alerts

Limited customization can be done via alert_actions.conf to specify the message subject and From: address used for alert emails.
Before making modifications to any configuration file, please see about bundles. See this page for details of the alert_actions.conf file.

[email]
# from email address
from=splunk@splunkalerts.com

# subject of the email
subject=Splunk Results

If you need additional customization, you can edit sendemail.py in $SPLUNK_HOME/etc/searchscripts. This is called for each alert, must be named sendemail.py and will be overwritten on upgrade. Save a copy of your changes in a safe location for future reference.

Warning Keep a backup copy of the original version so you can revert in the event of a problem. Test your changes carefully. For more information on the Python language, see http://www.python.org.

The mail() function, called by splunkd for each alert email, formats and sends the message using arguments configured in alert_actions.conf and internal defaults. You can modify the location of the mail server or the contents of the message header by changing the value of the variables defined at the top of the function:

    serverURL = argvals.get("server", "localhost")
    sender    = argvals.get("from", "splunk@" + socket.gethostname())
    to        = argvals.get("to", None)
    cc        = argvals.get("cc", None)
    bcc       = argvals.get("bcc", None)
    subject   = argvals.get("subject", "Splunk Results")
    format    = argvals.get("format", "html")
    importance= argvals.get("priority", None)

serverURL = the mail server that Splunk will use to send the email
sender = the address (Please specify this in alert_actions.conf file)
to = the intended recipient (Please specify this in alert_actions.conf file)
cc = the copied recipient (Please specify this in alert_actions.conf file)
bcc = the blind copied recipient (Please specify this in alert_actions.conf file)
subject = the subject of the message (Please specify this in alert_actions.conf file)
format = whether the message is plain text or html (Please specify this in alert_actions.conf file)
importance = the priority the messages

If you are interested in changing the format of the email, note that the variable bodytext contains the text of the message body, including search results.

Previous: Data Outputs | Next: CLI for search

Comments

You're right - I just added links to pages with details on editing configuration files. The short answer is that you should always make local edits in $SPLUNK_HOME/etc/bundles/local to make sure your changes are preserved when you upgrade. You will need to copy the example file from $SPLUNK_HOME/etc/bundles/README to local (if, as you showed above, the file is not there yet in local) and make your edits there.
ks
Posted by kathleen on Aug 30 2007, 1:17pm
The path to the alert_actions.conf file is not specified anywhere. There are a number of them:

# cd /opt/splunk
# find . -exec grep "splunkalerts" {} /dev/null \;
./etc/bundles/README/alert_actions.conf.example:from=splunk@splunkalerts.com
./etc/bundles/default/alert_actions.conf:from=splunk@splunkalerts.com
./etc.bak/bundles/README/alert_actions.conf.example:from=splunk@splunkalerts.com
./etc.bak/bundles/default/alert_actions.conf:from=splunk@splunkalerts.com
Posted by wijgalt on Aug 30 2007, 12:55pm