Email Alert Actions - How to remove default fields from each email


Every email we get from Splunk looks like the following:

**Saved search results.
Name: 'Tool - Test Port Channel Checking'
Query Terms: 'sourcetype=syslog_info  ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):" | dedup port | fields + port, host'
Link to results:
Alert was triggered because of: 'Saved Search [Tool - Test Port Channel Checking]: custom(4)'**

What I need to do is remove all that Splunk "Default" information and add my own. What .xml file controls this? I know how to add/remove Fields from email alerts, but the data above is given by default on every email.


Tags (2)
0 Karma

Splunk Employee
Splunk Employee

Check out my answer in - I think it might be what you're looking for.

0 Karma


For the most part, these are controlled directly by the script, and not by a config file.

The simplest solution would be to schedule your search to call the sendemail command directly, by piping to:

.... | sendresults=true

If you want more control, you'll need to create your own version of the sendemail script, and update commands.conf in the search app to point to your customized version.

See also:

Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...