topic Re: How to include results in e-mail in raw format? in Getting Data In

How to include results in e-mail in raw format?

Simon — Wed, 21 Apr 2010 19:16:05 GMT

Hi everybody

In Splunk 3.x we got the results attached to the email when running a scheduled a saved search in raw format. Unfortunately since Splunk 4.x these come in csv which is not that comfortable for us. Is there a way to change the format or do I have to place a feature request?

Regards, Simon

Re: How to include results in e-mail in raw format?

the_wolverine — Thu, 22 Apr 2010 00:18:41 GMT

You can change the format system-wide by editing the alert_actions.conf file. The out-of-box default in version 4.1 is html:

# Specify the format of the text in the email as either: 
# html, raw, csv, plain. Remember that results are always attached in csv format
#
format = html

Re: How to include results in e-mail in raw format?

jrodman — Thu, 22 Apr 2010 01:01:54 GMT

You can also specify the format on an alert-by-alert basis, in savedsearches.conf:

[mysearch]
action.email.format = raw

You should be able to override all system defaults from alert_actions.conf on an alert-by-alert basis in this format.

Re: How to include results in e-mail in raw format?

Simon — Thu, 22 Apr 2010 02:51:27 GMT

Okay, didn't knew that changing the e-mail format also applies to any attachemets. But there is no option to let the users itself to specify the format when they do not have access to the config files?

Re: How to include results in e-mail in raw format?

the_wolverine — Thu, 10 Mar 2011 03:41:59 GMT

Is this a legitimate action in version 4.1.5? I ask because I don't see this action in the spec file.

Re: How to include results in e-mail in raw format?

the_wolverine — Thu, 10 Mar 2011 08:49:26 GMT

I've verified that setting action.email.format PER SEARCH works in 4.1.5. Still wondering why this useful feature is not documented.

Re: How to include results in e-mail in raw format?

jrodman — Mon, 28 Sep 2020 09:26:18 GMT

The alert_actions.conf.spec file says "hey my actions spill through to savedsearches.conf". I thought savedsearches.conf indicated the same the other way. The settings are not all documented in duplicate in both locations. Perhaps we shoyld say something like action.* settings can be reviewed in alert_actions.conf.spec

Re: How to include results in e-mail in raw format?

mohitvohra109 — Fri, 06 Jan 2012 14:17:26 GMT

Assuming that you are part of the Splunk Admin group; then yes it can be done.

Log in to Splunk and then on top right corner of your screen you'll see the 'Manager' link.
Click on it and then click the 'System Settings' link.
There click on the 'Email alert settings' and you'll see a drop down next to 'Email Format'. Click on it and you can set it from csv to 'raw' as well
Beneath that drop-down box you'll also see another combo box for 'Include results inline'. Make sure that the value selected beneath that combo box is 'Yes'.
That's it. Now the next time you select the option 'include results in email' while scheduling the search it will come in raw format.

I can verify this on 4.1.6 as i used this to do the opposite; i.e. I wanted csv reports rather than inline raw text so this has worked for me. Hope this helps.

Re: How to include results in e-mail in raw format?

mohitvohra109 — Fri, 06 Jan 2012 14:19:13 GMT

When i say 'Splunk Admin group' i mean that you must be part of the AD group that grants you admin access on Splunk or that you have the required permissions to play with the 'System Settings' under the 'Manager' link.