Splunk® Enterprise

Search Reference

Download manual as PDF



Use the sendemail command to generate email notifications. You can email search results to specified email addresses.


sendemail to=<email_list>

[format=csv | table | raw]
[inline= <bool>]
[priority=highest | high | normal | low | lowest]
[content_type=html | plain]
[papersize=letter | legal | ledger | a2 | a3 | a4 | a5]
[paperorientation=portrait | landscape]
[maxtime=<int> m | s | h | d]

Required arguments

Syntax: to=<email_list>
Description: List of email addresses to send search results to.

Optional arguments

Syntax: bcc=<email_list>
Description: Blind courtesy copy line. Specify email addresses in a comma-separated and quoted list.
Syntax: cc=<email_list>
Description: Courtesy copy line. Specify email addresses in a comma-separated and quoted list.
Syntax: content_type=html | plain
Description: The format type of the email.
Default: html
Syntax: format=csv | table | raw
Description: Specifies how to format inline results.
Default: table
Syntax: footer=<string>
Description: Specify an alternate email footer.
"If you believe you've received this email in error, please see your Splunk administrator.
splunk > the engine for machine data."
Note: To force a new line in the footer, use Shift+Enter.
Syntax: from=<email_list>
Description: Email address from line.
Syntax: inline=true | false
Description: Specifies whether to send the results in the message body or as an attachment. Attachments are provided as csv.
Default: true
Syntax: graceful=true | false
Description: If set to true, no error is thrown, if email sending fails and thus the search pipeline continues execution as if sendemail was not there.
Syntax: maxinputs = <integer>
Description: Set the maximum number of search results sent via alerts.
Syntax: maxtime = <integer>m | s | h | d
Description: The maximum amount of time that the execution of an action is allowed to take before the action is aborted.
Default:no limit
Syntax: message=<string>
Description: Specifies the message sent in the email.
  • If sendresults=true, the message defaults to "Search complete."
  • If sendresults=true, inline=true, and either sendpdf=false or sendcsv=false, message defaults to "Search results."
  • If sendpdf=true or sendcsv=true, message defaults to "Search results attached."
Syntax: paperorientation = portrait | landscape
Description: The orientation of the paper.
Default: portrait
Syntax: papersize=letter | legal | ledger | a2 | a3 | a4 | a5
Description: Default paper size for PDFs. Acceptable values: letter, legal, ledger, a2, a3, a4, a5.
Default: letter
Syntax: pdfview=<string>
Description: Name of view to send as a PDF.
Syntax: priority=highest | high | normal | low | lowest
Description: Set the priority of the email as it appears in the email client. Lowest or 5, low or 4, high or 2, highest or 1. Defaults to normal or 3.
Syntax: sendcsv=true | false
Description: Specify whether to send the results with the email as an attached csv file or not. Defaults to false.
Syntax: sendpdf=true | false
Description: Specify whether to send the results with the email as an attached PDF or not. For more information about using Splunk's integrated PDF generation functionality, see "Generate PDFs of your reports and dashboards" in the Reporting Manual. Defaults to false.
Syntax: sendresults=true | false
Description: Determines whether the results should be included with the email. Defaults to false.
Syntax: server=<string>
Description: If the SMTP server is not local, use this to specify it. Defaults to localhost.
Syntax: subject=<string>
Description: Specifies the subject line. Defaults to "Splunk Results".
Syntax: use_ssl=true | false
Description: Whether to use SSL when communicating with the SMTP server. When set to 1 (true), you must also specify both the server name or IP address and the TCP port in the "mailserver" attribute. Defaults to 0 (false).
Syntax: use_tls=true | false
Description: Specify whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). Defaults to 0 (false).
Syntax: width_sort_columns=true | false
Description: This is only valid for plain text emails. Specifies whether the columns should be sorted by their width. Defaults to true.


1: Send search results to the specified email

Send search results to the specified email. By default, the results are formatted as raw.

... | sendemail to="elvis@splunk.com" sendresults=true

2: Send search results in table format

Send search results in table format with the subject "myresults".

... | sendemail to="elvis@splunk.com,john@splunk.com" format=raw subject=myresults server=mail.splunk.com sendresults=true

===3. Send an email notification with a pdf attachment, a message, and raw inline results.

index=_internal | head 5 | sendemail to=example@splunk.com server=mail.example.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sendemail command.


This documentation applies to the following versions of Splunk: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.3.0, 6.3.1 View the Article History for its revisions.


Can the sendmail command be used to send multiple mails based on receiver information in the search result? So if I have a result with 10 events and each event containts an email adress I want to send 10 mails with specific information from each Event to 10 different receivers. When I try this, only one mail is send based on the data of the first event in the search result set.

February 4, 2015

Thanks Greich. I've updated the syntax to include the subject argument.

October 15, 2014

the "subject" argument is not listed in the Syntax subsection

October 15, 2014

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters