Cleanup the output from email alerts


I have a similar problem as in

I have tried the answer provided (both of them) and they do not do what I need.

The problem is that I only want to send an email if events are returned but using the sendmail option it sends the mail every time the alert is scheduled. This does not seem possible without a custom script.

0 Karma

Re: Cleanup the output from email alerts


I found this and it seems to work.

Looking at alert_actions.conf it has a configuration option called command and using the example provided in the above link I was able to adjust the command statement to cleanup the emails sent.

Using the below command entry only the results are sent in the email.

command = sendemail "to=$$" "server=${default=localhost}$" "from=${default=splunk@localhost}$" "subject=${recurse=yes}$" "format=${default=csv}$" "inline=${default=False}$" "sendresults=${default=False}$" "sendpdf=${default=False}$" "pdfview=$$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$maxinputs{default=1000}$" maxtime="${default=5m}$" _validate-1 =, validate( is_bool(''), "Value of argument '' must be a boolean")

View solution in original post


Re: Cleanup the output from email alerts

New Member

I'm on Splunk 5.0.2 and tried the above suggestion. It did work to remove the query results from my email messages, but did not remove the URL to the search. I also found that the above killed my ability to attach PDFs to any of my alerts. Once I removed the above, the PDF started working again.

I did a few things to clean up and simplify the email alerts. First, I modified the by customizing the intro+= that used to say the details of the search is below to: intro += "The Details of the Splunk Alert is below. If you need assistance, contact CIRT at"

I then commented out the lines for the ssLink that links to the results. I just put a # in front of two lines, first the #if ssLink: and then the #intro += "Link to results: " + ssLink + "\n"; This removed the URLs from my email alerts.

Next I commented out the lines responsible for putting the query into the body of the email. Again, place a # in front of two lines, as shown below: #if query: and then the #intro += "Query Terms: \'" + escape(query, plainText) + "\'\n"

Now my email messages look like this:
The Details of the Splunk Alert is Below. If you need assistance, contact CIRT at

Name: 'SEP Alert - Malware Found'
Alert was triggered because of: 'Saved Search [SEP Alert - Malware Found]: number of events(1)'

The content is shown below inline. I confirmed that the .csv and the .pdf attachments will both work with this done as well.

I have not found any issues with any of my alerts doing it this way, but the nice thing is...all you have to do is remove the # signs in the code and you should be back in business if something stops working correctly. Also...FYI the backslashes do not appear in the text correctly, Splunk must not allow them in comments, so your code may look just a bit different than this example.

0 Karma