Email notification action

Send an email notification to specified recipients when an alert triggers. Email notifications can include information from search results, the search job, and alert triggering. You can set up an email notification action from the Search page, the Alerts page, or directly in a search command.

In addition to alerting, there are other email notification contexts. For information on email notifications for reports, see Schedule reports in the Reporting Manual. For information on dashboard PDF email delivery, see Generate Dashboard PDFs in the Dashboards and Visualizations manual.

Configure email notification from the Search or Alerts page

You can configure email notifications when you save a search as an alert. You can also configure email notifications when editing alert actions. The steps are the same for both options.

Prerequisites

• Before you can send an email notification, configure the email notification settings in the Settings page. See Configure email notification settings.
• PDF delivery requires additional user role configuration. See User role configuration for PDF delivery.
• To review token usage, see "Use tokens in email notifications" in this manual.

Steps for configuring email notification

1. You can configure the email notification action when creating a new alert or editing an existing alert's actions. Follow one of the options below.
   

   Option	Steps
   Create a new alert	From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
   Edit an existing alert	From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.

The followings steps are the same for saving new alerts or editing existing alerts.

2. From the Add Actions menu, select Send email.
3. Specify the following information. To, CC, and/or BCC fields. Add a comma-separated list of recipients. Use text and/or tokens to specify recipients.
   Priority. Indicate a priority level. Priority handling varies by email client.
   Subject. Add text and/or tokens.
   Message. Add text and/or tokens.
   Include. Select what information to add to the email notification. Options include the following items.
   
   • Link to the alert
   • Search string
   • Trigger condition
   • Trigger time
   • Information about search results
   • Link to results
   • Inline results formatted as a table, raw events, or CSV file
   • Results as a CSV attachment
   • Results as a PDF attachment
     
     
   Type. Select HTML & Plain Text (multi-MIME message) or Plain Text.
4. Click Save.

Send email notification from a search command

You can send email notifications directly from the sendemail search command. Here is an example.

 index=main | head 5 | sendemail to=<email address> server=<server info> subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true 

See the sendemail command listing in the Search Reference for more details.

Send email to different recipients based on search results

This search example works with a token in the To email notification field to handle different notifications based on the result count. If there are more than 3500 results, a notification goes to recipient1. If there are fewer than 500 results, the notification goes to recipient2. If neither condition applies, then no notification is sent.

Here is the search.

"error" | stats count | eval recipient=case(count > 3500, "recipient1@domain.com", count >= 500, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)

When the search is saved as an alert, configure the Send email alert action with the following token in the To recipient field.

$result.recipient$

Configure email notification settings

Before you send an email notification for an alert, configure email notification settings.

1. From the Search and Reporting app home page, select Settings > Server settings > Email settings.
   
2. Select Mail Server Settings.
   
3. Enter values for the following fields.
   
   1. Mail host. The default value is localhost.
   2. Email security. Select one of the available options.
   3. (Optional) Username and Password. Username and password for authentication with the SMTP server.
4. Specify Email Format settings.
   
   1. Link hostname. The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. For example, use [2001:db8:0:1].
   2. Send emails as. (Optional) Specify a sender identification, used in the "From" email header field. Use an email address or a string. Strings are concatenated with "@<hostname>", using the hostname specified in alert_actions.conffor the machine sending the email notification or "@localhost" if no hostname is specified. Defaults to "splunk@<hostname>" or "splunk@localhost" if no hostname is specified.
   3. Email footer. Footer for all emails. Use text and/or tokens.
5. Specify PDF Report Settings as needed.
   
6. Click Save.

If you have Splunk Enterprise, you can configure email alert settings by editing the alert_actions.conf configuration file. For details, see alert_actions.conf.

User role configuration for PDF delivery

The following capabilities are required for PDF delivery scheduling.

• schedule_search
• admin_all_objects. This capability is required only if the mail host requires login credentials.

See About defining roles with capabilities in the Security Manual for more information.