Alerting

How to achieve plain text email alerts in Splunk Enterprise 6.2.5?

Explorer

Or, alternatively, how to ensure that the "alternative plain text version" comes through?

From the 6.2.5 documentation on alert_actions.conf:

format = [table|raw|csv]
    * Specify the format of inline results in the email.
    * Acceptable values:  table, raw, and csv.
    * Previously accepted values plain and html are no longer respected
    * and equate to table.
    * All emails are sent as HTML messages with an alternative plain text version.

I am not seeing an alternative plain text version dispatched alongside or as an attachment to HTML email alerts in our deployment at our organization. What avenues can I explore here? I'd rather not hack up sendemail.py, but if I have to, any pointers there would be appreciated as well.

0 Karma
1 Solution

Explorer

The answer is that all alert emails are sent as multi-part mime-encoded, which is technically not pure plain text but most readers in plain text mode should not have an issue displaying alerts/result sets in plain text

View solution in original post

0 Karma

Explorer

The answer is that all alert emails are sent as multi-part mime-encoded, which is technically not pure plain text but most readers in plain text mode should not have an issue displaying alerts/result sets in plain text

View solution in original post

0 Karma

Esteemed Legend

Try calling your own mail script. You can use the following perl script as a starting point:

#!/usr/bin/perl -w
use strict; use warnings; use diagnostics;

my ($myPath, $myName) = $0 =~ m/(.*)[\\\/](.+)/ ? ($1, $2) : ("./", $0);

# Parameters passed in from Splunk's alert
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.
#my $searchCount = $ARGV[0]; # $1 searchCount  - Number of events returned
#my $searchTerms  = $ARGV[1]; # $2 searchTerms  - Search terms
 my $Description  = $ARGV[2]; # $3 searchQuery  - Fully qualified query string
 my $AlertName    = $ARGV[3]; # $4 searchName   - Name of saved search
#my $searchReason = $ARGV[4]; # $5 searchReason - Reason saved search triggered
#my $Description  = $ARGV[5]; # $6 searchURL    - URL/Permalink of saved search
#my $searchTags   = $ARGV[6]; # $7 searchTags   - Always empty <= v6.1.1
 my $searchPath  = $ARGV[7]; # $8 searchPath   - Path to search-head results

mail -s "Splunk plain-text emai for $AlertName=$Description" user@example.com < $searchPath

exit 0;
0 Karma

Explorer

This is less than ideal as I don't have the means to test outside of our production environment at the moment. I'd also prefer to keep Splunk's script intact as it seems quite robust, and furthermore future updates would not break functionality. Any idea why the alternative plain text versions are not coming through?

0 Karma