Related Answers
Download topic as PDF
sendemail
Description
Use the sendemail command to generate email notifications. You can email search results to specified email addresses.
Syntax
sendemail to=<email_list>
- [from=<email_list>]
- [cc=<email_list>]
- [bcc=<email_list>]
- [subject=<string>]
- [format=csv | table | raw]
- [inline= <bool>]
- [sendresults=<bool>]
- [sendpdf=<bool>]
- [priority=highest | high | normal | low | lowest]
- [server=<string>]
- [width_sort_columns=<bool>]
- [graceful=<bool>]
- [content_type=html | plain]
- [message=<string>]
- [sendcsv=<bool>]
- [use_ssl=<bool>]
- [use_tls=<bool>]
- [pdfview=<string>]
- [papersize=letter | legal | ledger | a2 | a3 | a4 | a5]
- [paperorientation=portrait | landscape]
- [maxinputs=<int>]
- [maxtime=<int> m | s | h | d]
- [footer=<string>]
Required arguments
- to
- Syntax: to=<email_list>
- Description: List of email addresses to send search results to.
Optional arguments
- bcc
- Syntax: bcc=<email_list>
- Description: Blind courtesy copy line. Specify email addresses in a comma-separated and quoted list.
- cc
- Syntax: cc=<email_list>
- Description: Courtesy copy line. Specify email addresses in a comma-separated and quoted list.
- content_type
- Syntax: content_type=html | plain
- Description: The format type of the email.
- Default: html
- format
- Syntax: format=csv | table | raw
- Description: Specifies how to format inline results.
- Default: table
- footer
- Syntax: footer=<string>
- Description: Specify an alternate email footer.
- Default:
- "If you believe you've received this email in error, please see your Splunk administrator.
- splunk > the engine for machine data."
- Note: To force a new line in the footer, use Shift+Enter.
- from
- Syntax: from=<email_list>
- Description: Email address from line.
- Default: "splunk@<hostname>"
- inline
- Syntax: inline=<boolean>
- Description: Specifies whether to send the results in the message body or as an attachment. Attachments are provided as csv.
- Default: true
- graceful
- Syntax: graceful=<boolean>
- Description: If set to true, no error is returned if sending the email fails for whatever reason. The remainder of the search continues as if the the sendemail command was not part of the search. If
graceful=falseand sending the email fails, the search returns an error. - Default: false
- maxinputs
- Syntax: maxinputs=<integer>
- Description: Set the maximum number of search results sent via alerts.
- Default: 50000
- maxtime
- Syntax: maxtime=<integer>m | s | h | d
- Description: The maximum amount of time that the execution of an action is allowed to take before the action is aborted.
- Example: 2m
- Default: no limit
- message
- Syntax: message=<string>
- Description: Specifies the message sent in the email.
- Default: The default message depends on which other arguments are specified with the
sendemailcommand.- If sendresults=true, the message defaults to "Search complete."
- If sendresults=true, inline=true, and either sendpdf=false or sendcsv=false, message defaults to "Search results."
- If sendpdf=true or sendcsv=true, message defaults to "Search results attached."
- paperorientation
- Syntax: paperorientation=portrait | landscape
- Description: The orientation of the paper.
- Default: portrait
- papersize
- Syntax: papersize=letter | legal | ledger | a2 | a3 | a4 | a5
- Description: Default paper size for PDFs. Acceptable values: letter, legal, ledger, a2, a3, a4, a5.
- Default: letter
- pdfview
- Syntax: pdfview=<string>
- Description: Name of view to send as a PDF.
- priority
- Syntax: priority=highest | high | normal | low | lowest
- Description: Set the priority of the email as it appears in the email client. Lowest or 5, low or 4, high or 2, highest or 1.
- Default: normal or 3
- sendcsv
- Syntax: sendcsv=<boolean>
- Description: Specify whether to send the results with the email as an attached csv file or not.
- Default: false
- sendpdf
- Syntax: sendpdf=<boolean>
- Description: Specify whether to send the results with the email as an attached PDF or not. For more information about generating PDFs, see "Generate PDFs of your reports and dashboards" in the Reporting Manual.
- Default: false
- sendresults
- Syntax: sendresults=<boolean>
- Description: Determines whether the results should be included with the email.
- Default: false
- server
- Syntax: server=<string>
- Description: If the SMTP server is not local, use this to specify it.
- Default: localhost
- subject
- Syntax: subject=<string>
- Description: Specifies the subject line.
- Default: "Splunk Results"
- use_ssl
- Syntax: use_ssl=<boolean>
- Description: Whether to use SSL when communicating with the SMTP server. When set to 1 (true), you must also specify both the server name or IP address and the TCP port in the "mailserver" attribute.
- Default: false
- use_tls
- Syntax: use_tls=<boolean>
- Description: Specify whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
- Default: false
- width_sort_columns
- Syntax: width_sort_columns=<boolean>
- Description: This is only valid for plain text emails. Specifies whether the columns should be sorted by their width.
- Default: true
Examples
1: Send search results to the specified email
Send search results to the specified email. By default, the results are formatted as table.
... | sendemail to="elvis@splunk.com" sendresults=true
2: Send search results in table format
Send search results in a raw format with the subject "myresults".
... | sendemail to="elvis@splunk.com,john@splunk.com" format=raw subject=myresults server=mail.splunk.com sendresults=true
3. Include a PDF attachment, a message, and raw inline results
Send an email notification with a PDF attachment, a message, and results formatted as raw. By default the raw results are placed inline with the message.
index=_internal | head 5 | sendemail to=example@splunk.com server=mail.example.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true format=raw sendpdf=true
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sendemail command.
|
PREVIOUS selfjoin |
NEXT set |
This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Comments
is it possible to have the current search query to be included into the email when sendemail command runs?
Hello Saurabh
The message argument was added to the syntax in Version 6.1, which is why it is not working in 5.0.5.
You can see the differences in the syntax if you change the documentation version.
Hi,
Cant we get custom message using the sendemail message option ? All I get is the search complete message. Is there a way I can get a custom message instead of this ??
Please assists.
Can the sendmail command be used to send multiple mails based on receiver information in the search result? So if I have a result with 10 events and each event containts an email adress I want to send 10 mails with specific information from each Event to 10 different receivers. When I try this, only one mail is send based on the data of the first event in the search result set.
Thanks Greich. I've updated the syntax to include the subject argument.
the "subject" argument is not listed in the Syntax subsection
Spammenot66
It is not possible now, but I have opened a JIRA against the engineering team to add this capability.