Search Reference




Use the sendemail command to generate email notifications.


Emails search results to specified email addresses.


sendemail to=<email_list> [from=<email_list>] [cc=<email_list>] [bcc=<email_list>] [subject=<string>] [format= (csv | table | raw)] [inline= <bool>] [sendresults=<bool>] [sendpdf=<bool>] [priority=( highest | high | normal | low | lowest)] [server=<string>] [width_sort_columns=<bool>] [graceful=<bool>] [message=<string>] [sendcsv=<bool>] [use_ssl=<bool>] [use_tls=<bool>] [pdfview=<string>] [papersize=(letter | legal | ledger | a2 | a3 | a4 | a5)] [paperorientation=(portrait | landscape)] [maxinputs=<int>] [maxtime=<int>m | s | h | d] [footer=<string>]

Required arguments

Syntax: to=<email_list>
Description: List of email addresses to send search results to.

Optional arguments

Syntax: bcc=<email_list>
Description: Blind cc line; comma-separated and quoted list of valid email addresses.
Syntax: cc=<email_list>
Description: Cc line; comma-separated quoted list of valid email addresses.
Syntax: format= csv | table | raw
Description: Specifies how to format inline results. Defaults to table.
Syntax: footer=<string>
Description: Specify an alternate email footer. Defaults to "If you believe you've received this email in error, please see your Splunk administrator.\r\n\r\nsplunk > the engine for machine data."
Syntax: from=<email_list>
Description: Email address from line. Defaults to "splunk@<hostname>".
Syntax: inline= true | false
Description: Specifies whether to send the results in the message body or as an attachment. Attachments are provided as csv. Defaults to true.
Syntax: graceful= true | false
Description: If set to true, no error is thrown, if email sending fails and thus the search pipeline continues execution as if sendemail was not there. Defaults to false.
Syntax: maxinputs = <integer>
Description: Set the maximum number of search results sent via alerts. Defaults to 50000.
Syntax: maxtime = <integer>m | s | h | d
Description: The maximum amount of time that the execution of an action is allowed to take before the action is aborted. Defaults to no limit.
Syntax: message=<string>
Description: Specifies the message sent in the email. If sendresults=true, message defaults to "Search complete." If sendresults=true, inline=true, and either sendpdf=false or sendcsv=false, message defaults to "Search results." If sendpdf=true or sendcsv=true, message defaults to "Search results attached."
Syntax: paperorientation = portrait | landscape
Description: Paper orientation: portrait or landscape. Defaults to "portrait".
Syntax: papersize = letter | legal | ledger | a2 | a3 | a4 | a5
Description: Default paper size for PDFs. Acceptable values: letter, legal, ledger, a2, a3, a4, a5. Defaults to "letter".
Syntax: pdfview=<string>
Description: Name of view to send as a PDF.
Syntax: priority=highest | high | normal | low | lowest
Description: Set the priority of the email as it appears in the email client. Lowest or 5, low or 4, high or 2, highest or 1. Defaults to normal or 3.
Syntax: sendcsv=true | false
Description: Specify whether to send the results with the email as an attached csv file or not. Defaults to false.
Syntax: sendpdf=true | false
Description: Specify whether to send the results with the email as an attached PDF or not. For more information about using Splunk's integrated PDF generation functionality, see "Generate PDFs of your reports and dashboards" in the Reporting Manual. Defaults to false.
Syntax: sendresults=true | false
Description: Determines whether the results should be included with the email. Defaults to false.
Syntax: server=<string>
Description: If the SMTP server is not local, use this to specify it. Defaults to localhost.
Syntax: subject=<string>
Description: Specifies the subject line. Defaults to "Splunk Results".
Syntax: use_ssl=true | false
Description: Whether to use SSL when communicating with the SMTP server. When set to 1 (true), you must also specify both the server name or IP address and the TCP port in the "mailserver" attribute. Defaults to 0 (false).
Syntax: use_tls=true | false
Description: Specify whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). Defaults to 0 (false).
Syntax: width_sort_columns=true | false
Description: This is only valid for plain text emails. Specifies whether the columns should be sorted by their width. Defaults to true.


Example 1: Send search results in table format with the subject "myresults".

... | sendemail to="," format=raw subject=myresults sendresults=true

Example 2: Send search results to the specified email. By default, the results are formatted as raw.

... | sendemail to="" sendresults=true

Example 3: Send an email notification with a pdf attachment, a message, and raw inline results.

index=_internal | head 5 | sendemail subject="Here is an email from Splunk" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sendemail command.

This documentation applies to the following versions of Splunk: 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.2.0 , 6.2.1 , 6.2.2 View the Article History for its revisions.


Can the sendmail command be used to send multiple mails based on receiver information in the search result? So if I have a result with 10 events and each event containts an email adress I want to send 10 mails with specific information from each Event to 10 different receivers. When I try this, only one mail is send based on the data of the first event in the search result set.

February 4, 2015

Thanks Greich. I've updated the syntax to include the subject argument.

October 15, 2014

the "subject" argument is not listed in the Syntax subsection

October 15, 2014

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!