Splunk® Enterprise

Alerting Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Email notification action

Send an email notification to specified recipients when an alert triggers. Email notifications can include information from search results, the search job, and alert triggering. You can set up an email notification action from the Search page, the Alerts page, or directly in a search command.

In addition to alerting, there are other email notification contexts. For information on email notifications for reports, see Schedule reports in the Reporting Manual. For information on dashboard PDF email delivery, see Generate Dashboard PDFs in the Dashboards and Visualizations manual.

Configure email notification from the Search or Alerts page

You can configure email notifications when you save a search as an alert. You can also configure email notifications when editing alert actions. The steps are the same for both options.


  • Before you can send an email notification, configure the email notification settings in the Settings page. See Configure email notification settings.
  • To send an email notification within a search to a mail server that requires SMTP authentication, you must have the admin role assigned.
  • To send an email notification within a search to a mail server that does not require SMTP auth requires the list_settings capability. By default, only the admin, splunk-system-role, and can_delete roles are assigned the list_settings capability.
    If you want to allow users not belonging to any of these roles to send email notifications using the sendemail command in their search, you must assign them the list_settings capability. For more information on roles and capabilities, see "About defining roles with capabilities" in the Securing Splunk Enterprise Manual.
  • PDF delivery requires additional user role configuration. See User role configuration for PDF delivery.
  • To review token usage, see "Use tokens in email notifications" in this manual.

Steps for configuring email notification

  1. You can configure the email notification action when creating a new alert or editing an existing alert's actions. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
  2. The followings steps are the same for saving new alerts or editing existing alerts.

  3. From the Add Actions menu, select Send email.
  4. Specify the following information. To, CC, and/or BCC fields. Add a comma-separated list of recipients. Use text and/or tokens to specify recipients.
    Priority. Indicate a priority level. Priority handling varies by email client.
    Subject. Add text and/or tokens.
    Message. Add text and/or tokens.
    Include. Select what information to add to the email notification. Options include the following items.
    • Link to the alert
    • Search string
    • Trigger condition
    • Trigger time
    • Information about search results
    • Link to results
    • Inline results formatted as a table, raw events, or CSV file
    • Results as a CSV attachment
    • Results as a PDF attachment

    Type. Select HTML & Plain Text (multi-MIME message) or Plain Text.
  5. Click Save.

Send email notification from a search command

You can send email notifications directly from the sendemail search command. Here is an example.

 index=main | head 5 | sendemail to=<email address> server=<server info> subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true 

See the sendemail command listing in the Search Reference for more details.

Send email to different recipients based on search results

This search example works with a token in the To email notification field to handle different notifications based on the result count. If there are more than 3500 results, a notification goes to recipient1. If there are fewer than 500 results, the notification goes to recipient2. If neither condition applies, then no notification is sent.

Here is the search.

"error" | stats count | eval recipient=case(count > 3500, "recipient1@domain.com", count >= 500, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)

When the search is saved as an alert, configure the Send email alert action with the following token in the To recipient field.


Configure email notification settings

Before you send an email notification for an alert, configure email notification settings.

  1. From the Search and Reporting app home page, select Settings > Server settings > Email settings.
  2. Select Mail Server Settings.
  3. Enter values for the following fields.
    1. Mail host. The default value is localhost.
    2. Email security. Select one of the available options.
    3. (Optional) Username and Password. Username and password for authentication with the SMTP server.
  4. Specify Email Format settings.
    1. Link hostname. The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. For example, use [2001:db8:0:1].
    2. Send emails as. (Optional) Specify a sender identification, used in the "From" email header field. Use an email address or a string. Strings are concatenated with "@<hostname>", using the hostname specified in alert_actions.conffor the machine sending the email notification or "@localhost" if no hostname is specified. Defaults to "splunk@<hostname>" or "splunk@localhost" if no hostname is specified.
    3. Email footer. Footer for all emails. Use text and/or tokens.
  5. Specify PDF Report Settings as needed.
  6. Click Save.

If you have Splunk Enterprise, you can configure email alert settings by editing the alert_actions.conf configuration file. For details, see alert_actions.conf.

User role configuration for PDF delivery

The following capabilities are required for PDF delivery scheduling.

  • schedule_search
  • admin_all_objects. This capability is required only if the mail host requires login credentials.
  • list_settings

See About defining roles with capabilities in the Security Manual for more information.

Last modified on 25 January, 2019
Set up alert actions
Use tokens in email notifications

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters