sendemail

Description

Use the sendemail command to generate email notifications. You can email search results to specified email addresses.

Syntax

sendemail to=<email_list>

[from=<email_list>]

[cc=<email_list>]

[bcc=<email_list>]

[subject=<string>]

[format=csv | table | raw]

[inline= <bool>]

[sendresults=<bool>]

[sendpdf=<bool>]

[priority=highest | high | normal | low | lowest]

[server=<string>]

[width_sort_columns=<bool>]

[graceful=<bool>]

[content_type=html | plain]

[message=<string>]

[sendcsv=<bool>]

[use_ssl=<bool>]

[use_tls=<bool>]

[pdfview=<string>]

[papersize=letter | legal | ledger | a2 | a3 | a4 | a5]

[paperorientation=portrait | landscape]

[maxinputs=<int>]

[maxtime=<int> m | s | h | d]

[footer=<string>]

Required arguments

to

Syntax: to=<email_list>

Description: List of email addresses to send search results to.

Optional arguments

bcc

Syntax: bcc=<email_list>

Description: Blind courtesy copy line. Specify email addresses in a comma-separated and quoted list.

cc

Syntax: cc=<email_list>

Description: Courtesy copy line. Specify email addresses in a comma-separated and quoted list.

content_type

Syntax: content_type=html | plain

Description: The format type of the email.

Default: html

format

Syntax: format=csv | table | raw

Description: Specifies how to format inline results.

Default: table

footer

Syntax: footer=<string>

Description: Specify an alternate email footer.

Default:

"If you believe you've received this email in error, please see your Splunk administrator.

splunk > the engine for machine data."

Note: To force a new line in the footer, use Shift+Enter.

from

Syntax: from=<email_list>

Description: Email address from line.

Default: "splunk@<hostname>"

inline

Syntax: inline=<boolean>

Description: Specifies whether to send the results in the message body or as an attachment. Attachments are provided as csv.

Default: true

graceful

Syntax: graceful=<boolean>

Description: If set to true, no error is returned if sending the email fails for whatever reason. The remainder of the search continues as if the the sendemail command was not part of the search. If graceful=false and sending the email fails, the search returns an error.

Default: false

maxinputs

Syntax: maxinputs=<integer>

Description: Set the maximum number of search results sent via alerts.

Default: 50000

maxtime

Syntax: maxtime=<integer>m | s | h | d

Description: The maximum amount of time that the execution of an action is allowed to take before the action is aborted.

Example: 2m

Default: no limit

message

Syntax: message=<string>

Description: Specifies the message sent in the email.

Default: The default message depends on which other arguments are specified with the sendemail command.

• If sendresults=true, the message defaults to "Search complete."
• If sendresults=true, inline=true, and either sendpdf=false or sendcsv=false, message defaults to "Search results."
• If sendpdf=true or sendcsv=true, message defaults to "Search results attached."

paperorientation

Syntax: paperorientation=portrait | landscape

Description: The orientation of the paper.

Default: portrait

papersize

Syntax: papersize=letter | legal | ledger | a2 | a3 | a4 | a5

Description: Default paper size for PDFs. Acceptable values: letter, legal, ledger, a2, a3, a4, a5.

Default: letter

pdfview

Syntax: pdfview=<string>

Description: Name of view to send as a PDF.

priority

Syntax: priority=highest | high | normal | low | lowest

Description: Set the priority of the email as it appears in the email client. Lowest or 5, low or 4, high or 2, highest or 1.

Default: normal or 3

sendcsv

Syntax: sendcsv=<boolean>

Description: Specify whether to send the results with the email as an attached csv file or not.

Default: false

sendpdf

Syntax: sendpdf=<boolean>

Description: Specify whether to send the results with the email as an attached PDF or not. For more information about generating PDFs, see "Generate PDFs of your reports and dashboards" in the Reporting Manual.

Default: false

sendresults

Syntax: sendresults=<boolean>

Description: Determines whether the results should be included with the email.

Default: false

server

Syntax: server=<string>

Description: If the SMTP server is not local, use this to specify it.

Default: localhost

subject

Syntax: subject=<string>

Description: Specifies the subject line.

Default: "Splunk Results"

use_ssl

Syntax: use_ssl=<boolean>

Description: Whether to use SSL when communicating with the SMTP server. When set to 1 (true), you must also specify both the server name or IP address and the TCP port in the "mailserver" attribute.

Default: false

use_tls

Syntax: use_tls=<boolean>

Description: Specify whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).

Default: false

width_sort_columns

Syntax: width_sort_columns=<boolean>

Description: This is only valid for plain text emails. Specifies whether the columns should be sorted by their width.

Default: true

Examples

1: Send search results to the specified email

Send search results to the specified email. By default, the results are formatted as table.

... | sendemail to="elvis@splunk.com" sendresults=true

2: Send search results in table format

Send search results in a raw format with the subject "myresults".

... | sendemail to="elvis@splunk.com,john@splunk.com" format=raw subject=myresults server=mail.splunk.com sendresults=true

3. Include a PDF attachment, a message, and raw inline results

Send an email notification with a PDF attachment, a message, and results formatted as raw. By default the raw results are placed inline with the message.

index=_internal | head 5 | sendemail to=example@splunk.com server=mail.example.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true format=raw sendpdf=true

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sendemail command.