The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Reformatting Alert Notifications

Previous Topic: transaction aliases pattern - What are my options?  |   Next Topic: After tar upgrade from 3.3 -> 3.3.1 splunk web still thinks I'm on the older version


Posts 1–4 of 4
1
posted by: pstein  |  posts
date: June 26, 2008
permalink

When we capture a Live Search and an email goes out to our support groups they are requesting that I reformat the html output so the server name is in the first column and not the last or some other column. Is that possble? I didn't see anything in the alert_actions.conf file. Only whether to send html, plain......or even to use an attachment or send data inline.

Our current ../local/alert_actions.conf file looks like this:
.

.

  1. specify the format of the text in the email with two
  2. possible values: html, raw, csv, plain

#
format=html

  1. specifies whether the results need to be attached as a file
  2. or added to the body of the email (inline)
  3. options: auto, true (inline the results in the email), false (attach results
  4. as a file)

#
inline=true

Paul

2
posted by: araitz  |  posts
date: June 26, 2008
permalink

Paul,

Do you mean that you only want to send certain fields? If so, maybe this will help:

http://www.splunk.com/doc/latest/admin/SetupAlerts#Specifywhichfieldstoshow

If not, let me know what you are looking for.

3
posted by: pstein  |  posts
date: June 26, 2008
permalink

Well....kind of. I am looking to reorder the data that we receive, but I don't want to have to write that into each and every Live Search. I would like to see the entire error string, date, host, source....etc, but want the "host" field listed first. That way the support teams don't have to go looking for the host names but have it listed in the first column. Hope that helps.

But yes. I can see how the | fields +/- would be beneficial.

Thanks.

4
posted by: gaspower  |  posts
date: August 5, 2008
permalink

I have been looking for this as well, it seems that there is no easy way to rearrange these columns as the sendemail.py script actually sorts them based off of size.

you can find the script @ $SPLUNK_HOME/etc/searchscripts/sendemail.py

Im sure someone out there that has some python skills could figure this one out but that person is not I.