Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Email notification action

Send an email notification to specified recipients when an alert triggers. Email notifications can include information from search results, the search job, and alert triggering. You can set up an email notification action from the Search page, the Alerts page, or directly in a search command.

In addition to alerting, there are other email notification contexts. For information on email notifications for reports, see Schedule reports in the Reporting Manual. For information on dashboard PDF email delivery, see Generate Dashboard PDFs in the Dashboards and Visualizations manual.


Configure email notification from the Search or Alerts page

You can configure email notifications when you save a search as an alert. You can also configure email notifications when editing alert actions. The steps are the same for both options.

Prerequisites


Steps for configuring email notification

  1. You can configure the email notification action when creating a new alert or editing an existing alert's actions. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
  2. The followings steps are the same for saving new alerts or editing existing alerts.

  3. From the Add Actions menu, select Send email.
  4. Specify the following information. To, CC, and/or BCC fields. Add a comma-separated list of recipients. Use text and/or tokens to specify recipients.
    Priority. Indicate a priority level. Priority handling varies by email client.
    Subject. Add text and/or tokens.
    Message. Add text and/or tokens.
    Include. Select what information to add to the email notification. Options include the following items.
    • Link to the alert
    • Search string
    • Trigger condition
    • Trigger time
    • Information about search results
    • Link to results
    • Inline results formatted as a table, raw events, or CSV file
    • Results as a CSV attachment
    • Results as a PDF attachment

    Type. Select HTML & Plain Text (multi-MIME message) or Plain Text.
  5. Click Save.

Send email notification from a search command

You can send email notifications directly from the sendemail search command. Here is an example.

 index=main | head 5 | sendemail to=<email address> server=<server info> subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true 

See the sendemail command listing in the Search Reference for more details.


Send email to different recipients based on search results

This search example works with a token in the To email notification field to handle different notifications based on the result count. If there are more than 3500 results, a notification goes to recipient1. If there are fewer than 500 results, the notification goes to recipient2. If neither condition applies, then no notification is sent.

Here is the search.

"error" | stats count | eval recipient=case(count > 3500, "recipient1@domain.com", count >= 500, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)

When the search is saved as an alert, configure the Send email alert action with the following token in the To recipient field.

$result.recipient$

Configure email notification settings

Before you send an email notification for an alert, configure email notification settings.

  1. From the Search and Reporting app home page, select Settings > Server settings > Email settings.
  2. Select Mail Server Settings.
  3. Enter values for the following fields.
    1. Mail host. The default value is localhost.
    2. Email security. Select one of the available options.
    3. (Optional) Username and Password. Username and password for authentication with the SMTP server.
  4. Specify Email Format settings.
    1. Link hostname. The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. For example, use [2001:db8:0:1].
    2. Send emails as. (Optional) Specify a sender identification, used in the "From" email header field. Use an email address or a string. Strings are concatenated with "@<hostname>", using the hostname specified in alert_actions.conffor the machine sending the email notification or "@localhost" if no hostname is specified. Defaults to "splunk@<hostname>" or "splunk@localhost" if no hostname is specified.
    3. Email footer. Footer for all emails. Use text and/or tokens.
  5. Specify PDF Report Settings as needed.
  6. Click Save.


If you have Splunk Enterprise, you can configure email alert settings by editing the alert_actions.conf configuration file. For details, see alert_actions.conf.


User role configuration for PDF delivery

The following capabilities are required for PDF delivery scheduling.

  • schedule_search
  • admin_all_objects. This capability is required only if the mail host requires login credentials.

See About defining roles with capabilities in the Security Manual for more information.

PREVIOUS
Set up alert actions
  NEXT
Use tokens in email notifications

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters