Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF



Use the sendemail command to generate email notifications. You can email search results to specified email addresses.


sendemail to=<email_list>

[format=csv | table | raw]
[inline= <bool>]
[priority=highest | high | normal | low | lowest]
[content_type=html | plain]
[papersize=letter | legal | ledger | a2 | a3 | a4 | a5]
[paperorientation=portrait | landscape]
[maxtime=<int> m | s | h | d]

Required arguments

Syntax: to=<email_list>
Description: List of email addresses to send search results to.

Optional arguments

Syntax: bcc=<email_list>
Description: Blind courtesy copy line. Specify email addresses in a comma-separated and quoted list.
Syntax: cc=<email_list>
Description: Courtesy copy line. Specify email addresses in a comma-separated and quoted list.
Syntax: content_type=html | plain
Description: The format type of the email.
Default: html
Syntax: format=csv | table | raw
Description: Specifies how to format inline results.
Default: table
Syntax: footer=<string>
Description: Specify an alternate email footer.
"If you believe you've received this email in error, please see your Splunk administrator.
splunk > the engine for machine data."
Note: To force a new line in the footer, use Shift+Enter.
Syntax: from=<email_list>
Description: Email address from line.
Default: "splunk@<hostname>"
Syntax: inline=<boolean>
Description: Specifies whether to send the results in the message body or as an attachment. Attachments are provided as csv.
Default: true
Syntax: graceful=<boolean>
Description: If set to true, no error is returned if sending the email fails for whatever reason. The remainder of the search continues as if the the sendemail command was not part of the search. If graceful=false and sending the email fails, the search returns an error.
Default: false
Syntax: maxinputs=<integer>
Description: Set the maximum number of search results sent via alerts.
Default: 50000
Syntax: maxtime=<integer>m | s | h | d
Description: The maximum amount of time that the execution of an action is allowed to take before the action is aborted.
Example: 2m
Default: no limit
Syntax: message=<string>
Description: Specifies the message sent in the email.
Default: The default message depends on which other arguments are specified with the sendemail command.
  • If sendresults=true, the message defaults to "Search complete."
  • If sendresults=true, inline=true, and either sendpdf=false or sendcsv=false, message defaults to "Search results."
  • If sendpdf=true or sendcsv=true, message defaults to "Search results attached."
Syntax: paperorientation=portrait | landscape
Description: The orientation of the paper.
Default: portrait
Syntax: papersize=letter | legal | ledger | a2 | a3 | a4 | a5
Description: Default paper size for PDFs. Acceptable values: letter, legal, ledger, a2, a3, a4, a5.
Default: letter
Syntax: pdfview=<string>
Description: Name of view to send as a PDF.
Syntax: priority=highest | high | normal | low | lowest
Description: Set the priority of the email as it appears in the email client. Lowest or 5, low or 4, high or 2, highest or 1.
Default: normal or 3
Syntax: sendcsv=<boolean>
Description: Specify whether to send the results with the email as an attached csv file or not.
Default: false
Syntax: sendpdf=<boolean>
Description: Specify whether to send the results with the email as an attached PDF or not. For more information about generating PDFs, see "Generate PDFs of your reports and dashboards" in the Reporting Manual.
Default: false
Syntax: sendresults=<boolean>
Description: Determines whether the results should be included with the email.
Default: false
Syntax: server=<string>
Description: If the SMTP server is not local, use this to specify it.
Default: localhost
Syntax: subject=<string>
Description: Specifies the subject line.
Default: "Splunk Results"
Syntax: use_ssl=<boolean>
Description: Whether to use SSL when communicating with the SMTP server. When set to 1 (true), you must also specify both the server name or IP address and the TCP port in the "mailserver" attribute.
Default: false
Syntax: use_tls=<boolean>
Description: Specify whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
Default: false
Syntax: width_sort_columns=<boolean>
Description: This is only valid for plain text emails. Specifies whether the columns should be sorted by their width.
Default: true


1: Send search results to the specified email

Send search results to the specified email. By default, the results are formatted as table.

... | sendemail to="elvis@splunk.com" sendresults=true

2: Send search results in table format

Send search results in a raw format with the subject "myresults".

... | sendemail to="elvis@splunk.com,john@splunk.com" format=raw subject=myresults server=mail.splunk.com sendresults=true

3. Include a PDF attachment, a message, and raw inline results

Send an email notification with a PDF attachment, a message, and results formatted as raw. By default the raw results are placed inline with the message.

index=_internal | head 5 | sendemail to=example@splunk.com server=mail.example.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true format=raw sendpdf=true


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sendemail command.


This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


It is not possible now, but I have opened a JIRA against the engineering team to add this capability.

Lstewart splunk, Splunker
October 11, 2016

is it possible to have the current search query to be included into the email when sendemail command runs?

September 23, 2016

Hello Saurabh
The message argument was added to the syntax in Version 6.1, which is why it is not working in 5.0.5.
You can see the differences in the syntax if you change the documentation version.

Lstewart splunk, Splunker
August 29, 2016


Cant we get custom message using the sendemail message option ? All I get is the search complete message. Is there a way I can get a custom message instead of this ??
Please assists.

August 24, 2016

Can the sendmail command be used to send multiple mails based on receiver information in the search result? So if I have a result with 10 events and each event containts an email adress I want to send 10 mails with specific information from each Event to 10 different receivers. When I try this, only one mail is send based on the data of the first event in the search result set.

February 4, 2015

Thanks Greich. I've updated the syntax to include the subject argument.

October 15, 2014

the "subject" argument is not listed in the Syntax subsection

October 15, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters