How to add Custom email alert content.

DEkocklukas · ‎11-17-2011

Hi.

Where can you configure the content of an Email sent?
For instance currently the alert looks like this

Saved search results.
Name: 'Service unavailable Test'
Query Terms: 'source=\"c:\\logs\\CA_IF_Log_File.log\" host=\"Test\"'
Link to results: http://splunk:8000/app/Rat_Stalling_Alerts/@go?sid=scheduler__admin_UmF0X1N0YWxsaW5nX0FsZXJ0cw_Rk5CI...
Alert was triggered because of: 'Saved Search [FNB UAT RAT (136)]: number of events(0)'

That's nice and all.
Instead i want my own specified content in the email.

Example
Saved search results.
Name: 'Service unavailable Test'
Possible downtime. Please investigate

That's all. I do not want all that other information.

wyzandrea · ‎07-27-2015

Saved search results.
Name: 'Service unavailable Test'
Query Terms: 'source="c:logsCA_IF_Log_File.log" host="Test"'
Link to results: http://splunk:8000/app/Rat_Stalling_Alerts/@go?sid=scheduler__admin_UmF0X1N0YWxsaW5nX0FsZXJ0cw_Rk5CI...
Alert was triggered because of: 'Saved Search [FNB UAT RAT (136)]: number of events(0)'

All right, so complicated!

0range · ‎07-23-2013

such a simple thing ans Splunk has no such tool???

steven7537 · ‎04-30-2013

edit the sendmail.py file and change the headings etc in $SPLUNK_HOME/etc/apps/search/bin/sendemail.py, but make sure you make a copy first and be careful!

the_wolverine · ‎04-25-2013

You can just add a custom http link to the subject of the alert. Once fired, the link becomes clickable.

kphillipson · ‎10-24-2012

I use the script option but I was having issue with trying to get the data from the search into the email from the script option in the alert.

My solution is to have the alert kicks off a CLI search which dumps the output into a file that is the body of the crafted email. The use of the >> command appends the file so you can have custom comments like what you are asking for from above. Then once the email is fired off, at the end of the script you can copy over the file you just appended with base text.

I know this is a little redundant and can be cleaned up but I hope you get the idea.

Batch script:

    @echo off
    "%SPLUNK_HOME%\bin\splunk.exe" search "sourcetype=foo bar daysago=1 | table _time foobar | dedup _time" >> e:\email_body.txt

"email program commands to include the file as the body"

Masa · ‎11-21-2012

This will run the result twice and you needs to be concerned about time range depending on the schedules.

You can use "loadjob" command to call the latest scheduled search result in the script.

Here is a simple example;
http://wiki.splunk.com/Community:Search_Alert:_How_to_get_search_result_in_Scripted_Alert

ChrisG · ‎01-09-2012

There is a similar Answers thread here:

http://splunk-base.splunk.com/answers/621/email-alert-subject

Also points to external scripting as the solution.

gcoles · ‎01-09-2012

To elaborate on Damien's comments, a custom script seems to be the only answer right now. There are a few solutions in the 'apps' area:

http://splunk-base.splunk.com/apps/22368/php-scripted-alerts

http://splunk-base.splunk.com/apps/22398/use-javamail-for-scripted-alerts

http://splunk-base.splunk.com/apps/22397/use-python-mail-for-scripted-alerts

Damien_Dallimor · ‎01-09-2012

Your best bet might well be configuring the alert to fire an external script that does the emailing, vs using the inbuilt emailing facility.

Your script has access to 9 different parameters with information about the alert event. And then you could further decorate this with your own custom content, format etc..

http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts#Script_options

iujkjk · ‎01-09-2012

Hey there,

I'd like to +1 this with the addition that I would like to be able to put arbitrary content into the body of the email. Specifically, I'm looking to put links in the body to an internal knowledge base. Anyone working on this?

Regards.

How to add Custom email alert content.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life