Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Data missing in Alert search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am doing an audit on Splunk alerts. One of the things I am looking for is if the Alert name is in the subject of the email that gets sent. I run the search at the bottom of this message and parse that. There are hundreds of alerts and most of them have one of these two settings.
"action.email.subject.alert": "$name$"
"action.email.subject": "$name$"
I don't know the difference between the two, but they seem to match proper alert setups in the GUI. There are a few dozen alerts that don't return either of these though. When I look at one of those alerts in the GUI it has the correct setting for the alert. The email subject is $name$.
Why don't these Alerts that seem to be configured correctly return the "action.email.subject" field?
Thanks,
I have even run the search where I return all fields and can't find another that looks like it would be the subject field.
Search:
|rest/servicesNS/-/-/saved/searches | search alert.track=1
| fields title Action.email.to Action.email.subject Action.email.subject.alert
Splunk 7.3.3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see $name$ for the alerts in the GUI, or do you see Splunk Alert: $name$? The default subject values come from $SPLUNK_HOME/etc/system/default/alert_actions.conf:
[email]
# ...
subject = Splunk Alert: $name$
subject.alert = Splunk Alert: $name$
subject.report = Splunk Report: $name$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I looked at a couple that were not showing up and they did have "Splunk Alert: $name$" as the subject. When I looked at the output from the search I did not see any with Splunk Alert: $name$. This leads me to believe that any alert missing the value is set to the default. I'll do a couple of tests to see it that holds true.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see $name$ for the alerts in the GUI, or do you see Splunk Alert: $name$? The default subject values come from $SPLUNK_HOME/etc/system/default/alert_actions.conf:
[email]
# ...
subject = Splunk Alert: $name$
subject.alert = Splunk Alert: $name$
subject.report = Splunk Report: $name$
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
