==> Saved search view in web interface
list(mailfrom) TIME count
abc@gmail.com 10/2/2012 09:05 12
apple@gmail.com
stb@gmail.com
peter@gmail.com 10/2/2012 09:16 15
mary@gmail.com
happy@gmail.com
abc@gmail.com 10/2/2012 09:43 13
apple@gmail.com
stb@gmail.com
==> search result in the email alert
list(mailfrom) TIME count
abc@gmail.com apple@gmail.com stb@gmail.com 10/2/2012 09:05 12
peter@gmail.com mary@gmail.com happy@gmail.com 10/2/2012 09:16 15
abc@gmail.com apple@gmail.com stb@gmail.com 10/2/2012 09:43 13
All the line break are lost.
Although i can use mvjoin command to add ";" to separate them, but a line break is still necessary since there are more than 100 values in the list.
can anyone help? thank you.
I feel your pain. I believe the problem is Splunk is not properly converting the line breaks (newlines) from the event to the appropriate line break sequence required by email (carriage return + Line feed) when passing it off to email. Been banging my head against this for hours. I attempted, with eval replace, to replace all newlines in the event with \r\n but, it inserts the literal string "\r\n".
here is the conf found in /users/
Here is part of the conf file: https://www.dropbox.com/s/sgnxoj12dlv63xv/savedsearches.conf.txt
check in etc/users/<yourusername>/search/local/
and I'm using a Exchange/Outlook mail service currently
hi MuS, thanks for helping. I use the same search as you do. Splunk version is 6.1.1. I checked
- $SPLUNK_HOME/etc / apps / search / local / savedsearches.conf
- $SPLUNK_HOME/etc / system / local / savedsearches.conf
first one has nothing under [default], the second one has nothing.
Here is the link to the screen capture:
https://www.dropbox.com/s/c3p35gyl1ubemje/splunk-1.png
may I know what email server/service are you using? Exchange, Gmail, Yahoo ...?
could you please provide more details like the search used, your savedsearch.conf entry for this alert and the splunk version used?
I did a test on 6.0.x and this just works fine....
Search used: index=_internal | stats count list(source)
Result:
count list(source)
72200 /opt/splunk/var/log/splunk/splunkd_access.log
/opt/splunk/var/log/splunk/splunkd_access.log
/opt/splunk/var/log/splunk/splunkd_access.log
hi ppablo, thanks for asking. But the problem is still there. I tried \r \n
but none of them works on Lotus Notes or Gmail. We attache the result as an PDF as an alternative method, but still, we are looking for a solution.
Did you ever find a resolution for this?
It might be your email client (Outlook) modifying the whitespace. Could you attach it as a csv or pdf instead of inline text?
Alternately you could use the sendemail command and set inline=false to force the attachment.
hi Derek, thanks for the help. But gmail seems to have the same problem.