Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Email notification action

Send an email notification to specified recipients when an alert triggers. Email notifications can include information from search results, the search job, and alert triggering. You can set up an email notification action from the Search page, the Alerts page, or directly in a search command.

In addition to alerting, there are other email notification contexts. For information on email notifications for reports, see Schedule reports in the Reporting Manual. For information on dashboard PDF email delivery, see Generate Dashboard PDFs in Dashboards and Visualizations.


Configure email notification for your Splunk instance

You must configure email notification settings for your Splunk implementation before you can design an email notification action.

If your email notification settings are already configured you can skip this task.

Prerequisites

Steps

  1. From the Search and Reporting app home page, select Settings > Server settings > Email settings.
  2. Select Mail Server Settings.
  3. Specify values for the following settings.
    Setting Definition
    Mail host The default value is localhost.
    Email security Select one of the available options.
    Username Optional. Required for SMTP server authentication.
    Password Optional. Required for SMTP server authentication.
  4. Specify Email Format settings.
    Email Format Setting Definition
    Link hostname The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. Example: [2001:db8:0:1]
    Send emails as (Optional) Specify a sender identification, used in the From email header field. Use an email address or a string. Strings are concatenated with @<hostname>, using the hostname specified in alert_actions.conffor the machine sending the email notification or @localhost if no hostname is specified. Defaults to splunk@<hostname> or splunk@localhost if no hostname is specified.
    Email footer Footer for all emails. Use text and/or tokens.
  5. Click Save.

Define an email notification for an alert or scheduled report


Steps

  1. You can configure the email notification action when you create a new alert, edit the actions for an existing alert, or define or edit the schedule for a report. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit > Edit actions for an existing alert.
    Define or edit the schedule of a report From the Reports page in the Search and Reporting app, select Edit > Edit schedule for a report.
  2. Click Add Actions and select Send email.
  3. Type a comma-separated list of To email recipients.
  4. (Optional) Click Show CC and BCC to type comma-separated lists of CC, and BCC email recipients.
  5. (Optional) Set the email Priority. Enforcement of email priority depends on your email client.
  6. (Optional) Provide the email Subject and Message.
    You can optionally use tokens in the subject and message text.
  7. (Optional) Select one or more of the following options to include material in the email.
    Option Adds to email
    Link to Alert or Link to Report A link to the alert or scheduled report that the email is associated with.
    Link to Results A link to the results for the related search job.
    Search String The search string used by the alert or scheduled report.
    Inline... Displays the results as an inline table, a list of raw events, or in CSV file format.
    Trigger condition (for alerts only) The condition that triggered the alert.
    Trigger time (for alerts only) The alert timestamp.
    Attach CSV A file attachment that provides the results in CSV format.
    Attach PDF A file attachment that provides the results in PDF format.
  8. (Optional) Change the email Type to Plain Text.
    Type is set to HTML & Plain Text by default.
  9. Click Save.

If you have Splunk Enterprise, you can configure email alert settings by editing the alert_actions.conf configuration file. For details, see alert_actions.conf.


Use a search command to send an email notification

You can send email notifications directly from the sendemail search command. Here is an example.

index=main | head 5 | sendemail to=<email address> server=<server info> subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true

See the sendemail command listing in the Search Reference for more details.


Example - Send email to different recipients based on search results

This example shows you how you can use the $result.recipient$ token to make the Splunk software send notification emails to different recipients depending on the number of results returned by the search.

The $result.recipient$ token works in conjunction with an eval statement in the search. This eval statement sets the conditions under which emails are sent to specific addresses.

Here is an example of a search that is designed to work with $result.recipient$.

"error" | stats count | eval recipient=case(count > 3500, "recipient1@domain.com", count >= 500, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)

After this search is saved as an alert or scheduled report, you design an email notification action for it where you type $result.recipient$ in the To field.

When the alert is triggered or the scheduled report runs on its schedule, a notification is sent recipient1 if there are more than 3500 results. If there are fewer than 500 results, a notification is sent to recipient2. If neither condition applies, no notification is sent.


User role configuration for PDF delivery

The following capabilities are required for PDF delivery scheduling.

  • schedule_search
  • admin_all_objects. This capability is required if the mail host requires login credentials.

See About defining roles with capabilities in the Security Manual for more information.

PREVIOUS
Set up alert actions
  NEXT
Use tokens in email notifications

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters