I have Splunk configured and working behind a proxy. The goal is to hit "https://splunk/" and have it redirect me to "https://internal.splunk:8000/". This works fine for the web interface, but not for my email alerts. I have configured my email settings in the GUI to use the proper hostname, but when I get my email alert, the link goes to "https://splunk:8000/".
What setting do I have to change to remove the :8000 from the link Splunk sends me?
When I make the change as specified in ftk's answer it changes the reference to the location of my PDF server, not the "Link to results" link. This is also in alignment with the alert_actions.conf documentation.
The issue is that the proxy is at link A and the Splunk server resides at link B. The "Link to results" link in the email is to link B (directly to the Splunk server) and not to Link A (the proxy).
Is there a way to force the email to contain the link to the proxy server?
I believe alert_action.conf is the right place, the value you want should be
hostname = host.domain.com
I just had the same issue, and the only way I could figure it out is to use the following in alert_action.conf:
When the URL gets added to the email, you get the following (depending on which one you use):
Either way, the browsers interpret the URL correctly, but it just doesn't look pretty.
Hope that helps.
I found a bit of a problem with this, the alerts work perfectly, however for some reason when I have the port set to :80 it makes the Scheduled PDF Reports fail when it tries to generate the PDF. I can't figure out why as the moment, but just thought I'd let you know in case you run into this issue as well.
hostnames were not properly configured on alertsactions.conf file that failed to display results for email link results, This was corrected by adding stanza in /opt/splunk/etc/system/local/alertaction.conf: