Alerting
Highlighted

How to add Custom email alert content.

Engager

Hi.

Where can you configure the content of an Email sent?
For instance currently the alert looks like this

Saved search results.
Name: 'Service unavailable Test'
Query Terms: 'source=\"c:\\logs\\CAIFLogFile.log\" host=\"Test\"'
Link to results: http://splunk:8000/app/Rat
StallingAlerts/@go?sid=scheduleradminUmF0X1N0YWxsaW5nX0FsZXJ0cwRk5CIFVBVCBSQVQgKDEzNikat132151116038e42c35c40b389e
Alert was triggered because of: 'Saved Search [FNB UAT RAT (136)]: number of events(0)'

That's nice and all.
Instead i want my own specified content in the email.

Example
Saved search results.
Name: 'Service unavailable Test'
Possible downtime. Please investigate

That's all. I do not want all that other information.

Tags (1)
Highlighted

Re: How to add Custom email alert content.

New Member

Hey there,

I'd like to +1 this with the addition that I would like to be able to put arbitrary content into the body of the email. Specifically, I'm looking to put links in the body to an internal knowledge base. Anyone working on this?

Regards.

0 Karma
Highlighted

Re: How to add Custom email alert content.

Ultra Champion

Your best bet might well be configuring the alert to fire an external script that does the emailing, vs using the inbuilt emailing facility.

Your script has access to 9 different parameters with information about the alert event. And then you could further decorate this with your own custom content, format etc..

http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts#Script_options

Highlighted

Re: How to add Custom email alert content.

Communicator

To elaborate on Damien's comments, a custom script seems to be the only answer right now. There are a few solutions in the 'apps' area:

http://splunk-base.splunk.com/apps/22368/php-scripted-alerts

http://splunk-base.splunk.com/apps/22398/use-javamail-for-scripted-alerts

http://splunk-base.splunk.com/apps/22397/use-python-mail-for-scripted-alerts

0 Karma
Highlighted

Re: How to add Custom email alert content.

Splunk Employee
Splunk Employee

There is a similar Answers thread here:

http://splunk-base.splunk.com/answers/621/email-alert-subject

Also points to external scripting as the solution.

0 Karma
Highlighted

Re: How to add Custom email alert content.

Path Finder

I use the script option but I was having issue with trying to get the data from the search into the email from the script option in the alert.

My solution is to have the alert kicks off a CLI search which dumps the output into a file that is the body of the crafted email. The use of the >> command appends the file so you can have custom comments like what you are asking for from above. Then once the email is fired off, at the end of the script you can copy over the file you just appended with base text.

I know this is a little redundant and can be cleaned up but I hope you get the idea.

Batch script:

    @echo off
    "%SPLUNK_HOME%\bin\splunk.exe" search "sourcetype=foo bar daysago=1 | table _time foobar | dedup _time" >> e:\email_body.txt

"email program commands to include the file as the body"
0 Karma
Highlighted

Re: How to add Custom email alert content.

Splunk Employee
Splunk Employee

This will run the result twice and you needs to be concerned about time range depending on the schedules.

You can use "loadjob" command to call the latest scheduled search result in the script.

Here is a simple example;
http://wiki.splunk.com/Community:Search_Alert:_How_to_get_search_result_in_Scripted_Alert

Highlighted

Re: How to add Custom email alert content.

Champion

You can just add a custom http link to the subject of the alert. Once fired, the link becomes clickable.

0 Karma
Highlighted

Re: How to add Custom email alert content.

Explorer

edit the sendmail.py file and change the headings etc in $SPLUNK_HOME/etc/apps/search/bin/sendemail.py, but make sure you make a copy first and be careful!

Highlighted

Re: How to add Custom email alert content.

Communicator

such a simple thing ans Splunk has no such tool???