Documentation > Splunk > Admin Manual > Customize alert options

Admin Manual

 


How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Customize alert options

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Customize alert options

Email options

Edit alert_actions.conf to specify the message subject and from address used for alert emails. Use the $SPLUNK_HOME/etc/bundles/README/alert_actions.conf.example as an example, or create your own alert_actions.conf. Make any changes in $SPLUNK_HOME/etc/bundles/local/, or your own custom bundle directory. For more information on configuration files in general, see how configuration files work. 


[email]
# from email address
from=splunk@splunkalerts.com
# subject of the email
subject=Splunk Results

Additional alert customizations

To make additional customizations, edit sendemail.py in $SPLUNK_HOME/etc/searchscripts/. This is called for each alert, must be named sendemail.py and will be overwritten on upgrade. Save a copy of your changes in a safe location for future reference.


Note: Keep a backup copy of the original version of the script so you can revert to it in the event of a problem. Test your changes carefully. For more information on the Python language, see http://www.python.org.


The mail() function, called by splunkd for each alert email, formats and sends the message using arguments specified in alert_actions.conf and internal defaults. Modify the location of the mail server or the contents of the message header by changing the value of the variables defined at the top of the function: 


    serverURL = argvals.get("server", "localhost")
    sender    = argvals.get("from", "splunk@" + socket.gethostname())
    to        = argvals.get("to", None)
    cc        = argvals.get("cc", None)
    bcc       = argvals.get("bcc", None)
    subject   = argvals.get("subject", "Splunk Results")
    format    = argvals.get("format", "html")
    importance= argvals.get("priority", None)

Note: To change the format of the email, the variable bodytext contains the text of the message body, including search results.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.1/Admin/CustomizeAlertOptions"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!