Email Alert Actions - How to remove default fields...

MasterOogway · ‎11-29-2010

Every email we get from Splunk looks like the following:

**Saved search results.
Name: 'Tool - Test Port Channel Checking'
Query Terms: 'sourcetype=syslog_info  ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):" | dedup port | fields + port, host'
Link to results: http://server.domain.net:8000/app/search/@go?sid=scheduler__nobody__search_VG9vbCAtIFRlc3QgUG9ydCBDa...
Alert was triggered because of: 'Saved Search [Tool - Test Port Channel Checking]: custom(4)'**

What I need to do is remove all that Splunk "Default" information and add my own. What .xml file controls this? I know how to add/remove Fields from email alerts, but the data above is given by default on every email.

MasterOogway

sloshburch · ‎10-11-2013

Check out my answer in http://answers.splunk.com/answers/41129/use-of-the-search-description-field-in-an-alert-email - I think it might be what you're looking for.

southeringtonp · ‎11-29-2010

For the most part, these are controlled directly by the sendemail.py script, and not by a config file.

The simplest solution would be to schedule your search to call the sendemail command directly, by piping to:

.... | sendemail.py to=user@foo.org sendresults=true server=mail.bar.org

If you want more control, you'll need to create your own version of the sendemail script, and update commands.conf in the search app to point to your customized version.

See also:
http://answers.splunk.com/questions/8532/remove-query-and-table-header-from-emails
http://answers.splunk.com/questions/6423/how-to-change-default-alert-smtp-port

Email Alert Actions - How to remove default fields from each email

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI