Customize alert options
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Customize alert options
Edit alert_actions.conf to specify the message subject and from address used for alert emails. For more information on configuration files in general, see how configuration files work.
Note: Email must be enabled on your Splunk server to send alerts. Or you can specify another email server, but your Splunk server must be able to connect to it.
Configuration
Add a stanza to alert_actions.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.
Global settings
Global options: these settings do not need to be prefaced by a stanza name. If you do not specify an entry for each attribute, Splunk will use the default value.
maxresults = <int>
- Set the global maximum number of search results sent via alerts.
- Defaults to 100.
hostname = <string>
- Set the hostname that is displayed in the link sent in alerts.
- This is useful when the machine sending the alerts does not have a FQDN.
- Defaults to current hostname (set in Splunk) or localhost (if none is set).
Configure email options for alerts. Preface email settings with the [email] stanza name.
[email]
- Set email notification options under this stanza name.
- Follow this stanza name with any number of the following attribute/value pairs.
- If you do not specify an entry for each attribute, Splunk uses the default value.
from = <string>
- Email address originating alert.
- Defaults to
splunk@<splunk-hostname>.
subject = <string>
- Specify an alternate email subject.
- Defaults to
SplunkAlert-<savedsearchname>.
format = <string>
- Specify the format of text in the email.
- Possible values: plain, html, raw and csv.
- This value will also apply to any attachments.
inline = <true | false | auto>
- Specify whether the search results are contained in the body of the alert email.
- Defaults to false.
mailserver = <string>
- The SMTP mail server to use when sending emails.
- Defaults to
localhost.
Example
The following example alert_actions.conf sets e-mail options for alerts.
[email] from = alert@mysplunk.com subject = daily log review format = plain
RSS
[rss]
- Set rss notification options under this stanza name.
- Follow this stanza name with any number of the following attribute/value pairs.
- If you do not specify an entry for each attribute, Splunk uses the default value.
items_count = <number>
- Number of saved RSS feeds.
- Cannot be more than maxresults (in [email] stanza).
- Defaults to 30.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.