As per Splunk documentation for savedsearches.conf the action.email.from can be set to ensure the "From" address is filled up.
The default value in alert_actions.conf
splunk when i run the btool.
How to change this to
splunk@$LOCALHOST ? (though document says it is the default, in reality it is just "splunk")
When i put the value as
splunk@$LOCALHOST it throws error as "Invalid Address" in python.log
(OR any REST interface for this?)
Same issue exists on Splunk 6.4.x,6.5.x,6.6.x
If you look at
$SPLUNK_HOME/etc/system/default/alert_actions.conf, it is saying that hostname will be automatically appended from mailserver
# from email address (name only, host will be appended automatically from mailserver) from=splunk
Can you please let us know what value are you getting in
From in your mailbox when Email alert has been fired ? Additionally how you configured splunk to send email alert ?
In my lab environment I didn't configured Email Settings in Splunk so by default it use
localhost as mailserver (Config in alert_actions.conf
mailserver = localhost) and on server postfix is running as mailserver so splunk use postfix to send email alert. Now in postfix it captures hostname from
myhostname parameter in
/etc/postfix/main.cf, if you do not set anything then it will use Linux function
gethostname() to set
myhostname parameter. If I specifically set
myhostname = test.example.com then splunk will send alert (with default configuration) with from field as
firstname.lastname@example.org so you need to check on your mailserver what hostname it is providing.