Splunk® Enterprise

Alerting Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Email notification action

Send an email notification to specified recipients when an alert triggers. Email notifications can include information from search results, the search job, and alert triggering. You can set up an email notification action from the Search page, the Alerts page, or directly in a search command.

In addition to alerting, there are other email notification contexts. For information on email notifications for reports, see Schedule reports in the Reporting Manual. For information on dashboard PDF email delivery, see Generate Dashboard PDFs in Dashboards and Visualizations.


Configure email notification for your Splunk instance

You must configure email notification settings for your Splunk implementation before you can design an email notification action.

If your email notification settings are already configured you can skip this task.

Prerequisite

PDF delivery requires additional user role configuration. See "User role configuration for PDF delivery" at the bottom of this page.

Steps

  1. From the Search and Reporting app home page, select Settings > Server settings > Email settings.
  2. Select Mail Server Settings.
  3. Specify values for the following settings.
    Setting Definition
    Mail host The default value is localhost.
    Email security Select one of the available options.
    Username Optional. Required for SMTP server authentication.
    Password Optional. Required for SMTP server authentication.
  4. Specify Email Format settings.
    Email Format Setting Definition
    Link hostname The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. Example: [2001:db8:0:1]
    Send emails as (Optional) Specify a sender identification, used in the From email header field. Use an email address or a string. Strings are concatenated with @<hostname>, using the hostname specified in alert_actions.conffor the machine sending the email notification or @localhost if no hostname is specified. Defaults to splunk@<hostname> or splunk@localhost if no hostname is specified.
    Email footer Footer for all emails. Use text and/or tokens.
  5. Click Save.

Define an email notification for an alert or scheduled report

  • Before you can send an email notification, configure the email notification settings in the Settings page. See Configure email notification for your Splunk instance.
  • To send an email notification within a search to a mail server that requires SMTP authentication, you must have the admin role assigned.
  • To send an email notification within a search to a mail server that does not require SMTP auth requires the list_settings capability. By default, only the admin, splunk-system-role, and can_delete roles are assigned the list_settings capability.
    If you want to allow users not belonging to any of these roles to send email notifications using the sendemail command, you must assign their roles the list_settings and the schedule_search capabilities. For more information on roles and capabilities, see "About defining roles with capabilities" in the Securing Splunk Enterprise Manual.
  • PDF delivery requires additional user role configuration. See "User role configuration for PDF delivery" at the bottom of this page.
  • To review token usage, see Use tokens in email notifications.


Steps

  1. You can configure the email notification action when you create a new alert, edit the actions for an existing alert, or define or edit the schedule for a report. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit > Edit actions for an existing alert.
    Define or edit the schedule of a report From the Reports page in the Search and Reporting app, select Edit > Edit schedule for a report.
  2. Click Add Actions and select Send email.
  3. Type a comma-separated list of To email recipients.
  4. (Optional) Click Show CC and BCC to type comma-separated lists of CC, and BCC email recipients.
  5. (Optional) Set the email Priority. Enforcement of email priority depends on your email client.
  6. (Optional) Provide the email Subject and Message.
    You can optionally use tokens in the subject and message text.
  7. (Optional) Select one or more of the following options to include material in the email.
    Option Adds to email
    Link to Alert or Link to Report A link to the alert or scheduled report that the email is associated with.
    Link to Results A link to the results for the related search job.
    Search String The search string used by the alert or scheduled report.
    Inline... Displays the results as an inline table, a list of raw events, or in CSV file format.
    Trigger condition (for alerts only) The condition that triggered the alert.
    Trigger time (for alerts only) The alert timestamp.
    Attach CSV A file attachment that provides the results in CSV format.
    Attach PDF A file attachment that provides the results in PDF format.
  8. (Optional) Change the email Type to Plain Text.
    Type is set to HTML & Plain Text by default.
  9. Click Save.

If you have Splunk Enterprise, you can configure email alert settings by editing the alert_actions.conf configuration file. For details, see alert_actions.conf.


Use a search command to send an email notification

You can send email notifications directly from the sendemail search command. Here is an example.

index=main | head 5 | sendemail to=<email address> server=<server info> subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true

If you are sending an email notification to a server that requires SMTP authentication, you must have the admin role assigned.

See the sendemail command listing in the Search Reference for more details.


Example - Send email to different recipients based on search results

This example shows you how you can use the $result.recipient$ token to make the Splunk software send notification emails to different recipients depending on the number of results returned by the search.

The $result.recipient$ token works in conjunction with an eval statement in the search. This eval statement sets the conditions under which emails are sent to specific addresses.

Here is an example of a search that is designed to work with $result.recipient$.

"error" | stats count | eval recipient=case(count > 3500, "recipient1@domain.com", count >= 500, "recipient2@domain.com", 1==1, null()) | where isnotnull(recipient)

After this search is saved as an alert or scheduled report, you design an email notification action for it where you type $result.recipient$ in the To field.

When the alert is triggered or the scheduled report runs on its schedule, a notification is sent recipient1 if there are more than 3500 results. If there are fewer than 500 results, a notification is sent to recipient2. If neither condition applies, no notification is sent.


User role configuration for PDF delivery

The following capabilities are required for PDF delivery scheduling.

  • schedule_search
  • admin_all_objects. This capability is required if the mail host requires login credentials.
  • list_settings

See About defining roles with capabilities in the Security Manual for more information.

Last modified on 23 October, 2020
Set up alert actions   Use tokens in email notifications

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters