Email notification action
Send an email notification to specified recipients when an alert triggers. Email notifications can include information from search results, the search job, and alert triggering. You can set up an email notification action from the Search page, the Alerts page, or directly in a search command.
In addition to alerting, there are other email notification contexts. For information on email notifications for reports, see Schedule reports in the Reporting Manual. For information on dashboard PDF email delivery, see Generate Dashboard PDFs in Dashboards and Visualizations.
Configure email notification for your Splunk instance
You must configure email notification settings for your Splunk implementation before you can design an email notification action.
If your email notification settings are already configured you can skip this task.
PDF delivery requires additional user role configuration. See "User role configuration for PDF delivery" at the bottom of this page.
- From the Search and Reporting app home page, select Settings > Server settings > Email settings.
- Select Mail Server Settings.
- Specify values for the following settings.
Setting Definition Mail host The default value is localhost. Email security Select one of the available options. Username Optional. Required for SMTP server authentication. Password Optional. Required for SMTP server authentication.
- Specify Email Format settings.
Email Format Setting Definition Link hostname The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. Example: [2001:db8:0:1] Send emails as (Optional) Specify a sender identification, used in the From email header field. Use an email address or a string. Strings are concatenated with @<hostname>, using the hostname specified in
alert_actions.conffor the machine sending the email notification or @localhost if no hostname is specified. Defaults to splunk@<hostname> or splunk@localhost if no hostname is specified.
Email footer Footer for all emails. Use text and/or tokens.
- Click Save.
Define an email notification for an alert or scheduled report
- Before you can send an email notification, configure the email notification settings in the Settings page. See Configure email notification for your Splunk instance.
- To send an email notification within a search to a mail server that requires SMTP authentication, you must have the
- To send an email notification within a search to a mail server that does not require SMTP auth requires the
list_settingscapability. By default, only the
can_deleteroles are assigned the
If you want to allow users not belonging to any of these roles to send email notifications using the
sendemailcommand in their search, you must assign them the
list_settingscapability. For more information on roles and capabilities, see "About defining roles with capabilities" in the Securing Splunk Enterprise Manual.
- PDF delivery requires additional user role configuration. See "User role configuration for PDF delivery" at the bottom of this page.
- To review token usage, see Use tokens in email notifications.
- You can configure the email notification action when you create a new alert, edit the actions for an existing alert, or define or edit the schedule for a report. Follow one of the options below.
Option Steps Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed. Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit > Edit actions for an existing alert. Define or edit the schedule of a report From the Reports page in the Search and Reporting app, select Edit > Edit schedule for a report.
- Click Add Actions and select Send email.
- Type a comma-separated list of To email recipients.
- (Optional) Click Show CC and BCC to type comma-separated lists of CC, and BCC email recipients.
- (Optional) Set the email Priority. Enforcement of email priority depends on your email client.
- (Optional) Provide the email Subject and Message.
You can optionally use tokens in the subject and message text.
- (Optional) Select one or more of the following options to include material in the email.
Option Adds to email Link to Alert or Link to Report A link to the alert or scheduled report that the email is associated with. Link to Results A link to the results for the related search job. Search String The search string used by the alert or scheduled report. Inline... Displays the results as an inline table, a list of raw events, or in CSV file format. Trigger condition (for alerts only) The condition that triggered the alert. Trigger time (for alerts only) The alert timestamp. Attach CSV A file attachment that provides the results in CSV format. Attach PDF A file attachment that provides the results in PDF format.
- (Optional) Change the email Type to Plain Text.
Type is set to HTML & Plain Text by default.
- Click Save.
If you have Splunk Enterprise, you can configure email alert settings by editing the
alert_actions.conf configuration file. For details, see alert_actions.conf.
Use a search command to send an email notification
You can send email notifications directly from the
sendemail search command. Here is an example.
index=main | head 5 | sendemail to=<email address> server=<server info> subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true
If you are sending an email notification to a server that requires SMTP authentication, you must have the admin role assigned.
See the sendemail command listing in the Search Reference for more details.
Example - Send email to different recipients based on search results
This example shows you how you can use the
$result.recipient$ token to make the Splunk software send notification emails to different recipients depending on the number of results returned by the search.
$result.recipient$ token works in conjunction with an
eval statement in the search. This
eval statement sets the conditions under which emails are sent to specific addresses.
Here is an example of a search that is designed to work with
"error" | stats count | eval recipient=case(count > 3500, "email@example.com", count >= 500, "firstname.lastname@example.org", 1==1, null()) | where isnotnull(recipient)
After this search is saved as an alert or scheduled report, you design an email notification action for it where you type
$result.recipient$ in the To field.
When the alert is triggered or the scheduled report runs on its schedule, a notification is sent
recipient1 if there are more than 3500 results. If there are fewer than 500 results, a notification is sent to
recipient2. If neither condition applies, no notification is sent.
User role configuration for PDF delivery
The following capabilities are required for PDF delivery scheduling.
- admin_all_objects. This capability is required if the mail host requires login credentials.
See About defining roles with capabilities in the Security Manual for more information.
Set up alert actions
Use tokens in email notifications
This documentation applies to the following versions of Splunk® Enterprise: 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0