Alerting

Email Report format

Motivator

I have an alert that sends an email every day at 6:00 AM that is formated in a table to show me the systems that have been rebooted in the last 24 hours.

in the email is the content of the search that was run:

Name: 'Server Restarts'
**Query Terms: 'index=main EventCode=1074 SourceName=\"USER32\" | rex field=_raw \"Comment:\s(?.</em>)\&quot; | rex field=Message \&quot;The process\s(?<process>[^\s]+)\&quot; | transaction host maxspan=5m | eval user_count=mvcount(User) | eval final_user=case(user_count == 1, User, user_count &gt; 1, mvindex(User, user_count-1)) | eval process_count=mvcount(process) | eval final_process=case(process_count == 1, process, process_count &gt; 1, mvindex(process, process_count-1)) | table <em>time host final_user final_process comment | rename _time AS Time | convert timeformat=\&quot;%m/%d/%Y. %H:%M:%S\&quot; ctime(Time) | rename final_user AS Username | rename final_process AS \&quot;Process name\&quot; | rename comment AS \&quot;Comment\&quot;&#39; <br> Link to results: <a href="https://xxx.xxx.xxx.48:8000/app/search/@go?sid=scheduler">https://xxx.xxx.xxx.48:8000/app/search/@go... <br> Alert was triggered because of: &#39;Saved Search [Server Restarts]: number of events(4)&#39;** </p> <p>Time host Username Process name Comment<br> 09/28/2011. 05:30:00 XXXWEB02 ESCG\cfldap winlogon.exe 60<br> 09/28/2011. 05:00:03 XXXAPP03 NT AUTHORITY\SYSTEM PSSDNSVC.EXE<br> 09/27/2011. 11:51:23 XXXUSERAPPS XXX\xxxxS Explorer.EXE<br><br> 09/27/2011. 11:22:40 XXXAPP10 NT AUTHORITY\SYSTEM svchost.exe *</p> <p>I want the email to have only the tabel without the search text in <strong>bold</strong> above</p> <p>How do i get this info out of the email alert????</p> </p>

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Setupalertactions

View solution in original post

Splunk Employee
Splunk Employee

Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Setupalertactions

View solution in original post

Contributor

This is quite easy. In Splunk, the e-mail alert is just triggered by saved-search then it will call the python script in $SPLUNK_HOME/etc/apps/search/bin/sendemail.py, and in this script, you can find part of code in mail function:

if pdfview:
    intro += 'Scheduled view delivery.\n\nA PDF snapshot has been generated for the view: %s.\n\n' % pdfview

else:
    intro += "Saved search results.\n\n"

    if settings != None:
        user  = settings.get("user", None)
        if user != None:
            intro += "User: \'" + user + "\'\n"

    ssName = argvals.get("ssname", None)
    if ssName != None:
        if not plainText:
            ssName = cgi.escape(ssName)
        intro += "Name: \'" + ssName + "\'\n"

    query = argvals.get("ssquery", None)
    **********************Here You Can comment the following 4th line**********************
    1.if query != None:
    2.    if not plainText:
    3.        query = cgi.escape(query)
    4.    intro += "Query Terms: \'" + query + "\'\n"
    ...
    ...
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!