==> Saved search view in web interface
list(mailfrom) TIME count email@example.com 10/2/2012 09:05 12 firstname.lastname@example.org email@example.com firstname.lastname@example.org 10/2/2012 09:16 15 email@example.com firstname.lastname@example.org email@example.com 10/2/2012 09:43 13 firstname.lastname@example.org email@example.com
==> search result in the email alert
list(mailfrom) TIME count firstname.lastname@example.org email@example.com firstname.lastname@example.org 10/2/2012 09:05 12 email@example.com firstname.lastname@example.org email@example.com 10/2/2012 09:16 15 firstname.lastname@example.org email@example.com firstname.lastname@example.org 10/2/2012 09:43 13
All the line break are lost.
Although i can use mvjoin command to add ";" to separate them, but a line break is still necessary since there are more than 100 values in the list.
can anyone help? thank you.
I feel your pain. I believe the problem is Splunk is not properly converting the line breaks (newlines) from the event to the appropriate line break sequence required by email (carriage return + Line feed) when passing it off to email. Been banging my head against this for hours. I attempted, with eval replace, to replace all newlines in the event with \r\n but, it inserts the literal string "\r\n".
here is the conf found in /users/
Here is part of the conf file: https://www.dropbox.com/s/sgnxoj12dlv63xv/savedsearches.conf.txt
hi MuS, thanks for helping. I use the same search as you do. Splunk version is 6.1.1. I checked
- $SPLUNKHOME/etc / apps / search / local / savedsearches.conf
- $SPLUNKHOME/etc / system / local / savedsearches.conf
first one has nothing under [default], the second one has nothing.
Here is the link to the screen capture:
may I know what email server/service are you using? Exchange, Gmail, Yahoo ...?
could you please provide more details like the search used, your savedsearch.conf entry for this alert and the splunk version used?
I did a test on 6.0.x and this just works fine....
Search used: index=_internal | stats count list(source)
count list(source) 72200 /opt/splunk/var/log/splunk/splunkd_access.log /opt/splunk/var/log/splunk/splunkd_access.log /opt/splunk/var/log/splunk/splunkd_access.log
hi ppablo, thanks for asking. But the problem is still there. I tried \r \n
but none of them works on Lotus Notes or Gmail. We attache the result as an PDF as an alternative method, but still, we are looking for a solution.
It might be your email client (Outlook) modifying the whitespace. Could you attach it as a csv or pdf instead of inline text?
Alternately you could use the sendemail command and set inline=false to force the attachment.