
Email notification action
Send an email notification to specified recipients when an alert triggers. Email notifications can include information from search results, the search job, and alert triggering. You can set up an email notification action from the Search page, the Alerts page, or directly in a search command.
In addition to alerting, there are other email notification contexts. For information on email notifications for reports, see Schedule reports in the Reporting Manual. For information on dashboard PDF email delivery, see Generate Dashboard PDFs in the Dashboards and Visualizations manual.
Configure email notification from the Search or Alerts page
You can configure email notifications when you save a search as an alert. You can also configure email notifications when editing alert actions. The steps are the same for both options.
Prerequisites
- Before you can send an email notification, configure the email notification settings in the Settings page. See Configure email notification settings.
- PDF delivery requires additional user role configuration. See User role configuration for PDF delivery.
- To review token usage, see "Use tokens in email notifications" in this manual.
Steps for configuring email notification
- You can configure the email notification action when creating a new alert or editing an existing alert's actions. Follow one of the options below.
Option Steps Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed. Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
- From the Add Actions menu, select Send email.
- Specify the following information.
To, CC, and/or BCC fields. Add a comma-separated list of recipients. Use text and/or tokens to specify recipients.
Priority. Indicate a priority level. Priority handling varies by email client.
Subject. Add text and/or tokens.
Message. Add text and/or tokens.
Include. Select what information to add to the email notification. Options include the following items.
- Link to the alert
- Search string
- Trigger condition
- Trigger time
- Information about search results
- Link to results
- Inline results formatted as a table, raw events, or CSV file
- Results as a CSV attachment
- Results as a PDF attachment
- Click Save.
The followings steps are the same for saving new alerts or editing existing alerts.
Send email notification from a search command
You can send email notifications directly from the sendemail
search command. Here is an example.
index=main | head 5 | sendemail to=<email address> server=<server info> subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true
See the sendemail command listing in the Search Reference for more details.
Send email to different recipients based on search results
This search example works with a token in the To email notification field to handle different notifications based on the result count. If there are more than 3500 results, a notification goes to recipient1. If there are fewer than 500 results, the notification goes to recipient2. If neither condition applies, then no notification is sent.
Here is the search.
"error" | stats count | eval recipient=case(count > 3500, "recipient1@domain.com", count >= 500, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)
When the search is saved as an alert, configure the Send email alert action with the following token in the To recipient field.
$result.recipient$
Configure email notification settings
Before you send an email notification for an alert, configure email notification settings.
- From the Search and Reporting app home page, select Settings > Server settings > Email settings.
- Select Mail Server Settings.
- Enter values for the following fields.
- Mail host. The default value is localhost.
- Email security. Select one of the available options.
- (Optional) Username and Password. Username and password for authentication with the SMTP server.
- Specify Email Format settings.
- Link hostname. The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. For example, use
[2001:db8:0:1]
. - Send emails as. (Optional) Specify a sender identification, used in the "From" email header field. Use an email address or a string. Strings are concatenated with "@<hostname>", using the hostname specified in
alert_actions.conf
for the machine sending the email notification or "@localhost" if no hostname is specified. Defaults to "splunk@<hostname>" or "splunk@localhost" if no hostname is specified. - Email footer. Footer for all emails. Use text and/or tokens.
- Link hostname. The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. For example, use
- Specify PDF Report Settings as needed.
- Click Save.
If you have Splunk Enterprise, you can configure email alert settings by editing the alert_actions.conf
configuration file. For details, see alert_actions.conf.
User role configuration for PDF delivery
The following capabilities are required for PDF delivery scheduling.
- schedule_search
- admin_all_objects. This capability is required only if the mail host requires login credentials.
See About defining roles with capabilities in the Security Manual for more information.
PREVIOUS Set up alert actions |
NEXT Use tokens in email notifications |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Feedback submitted, thanks!