- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to avoid the search parameter in email ale...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everybody.
I´ve configured a lot of email alerts in splunk. The problem I see, is when an alert triggered and I received I see the information plus the configured Search string that triggered the alert.
I would like to receive only the results.
Below is an example of the alert I receive by email
Saved search results.
Name: 'ANTIVIRUS - Reporte de actualizacion (Servidores)'
Query Terms: 'sourcetype=\"WMI:WinEventLog:Application\" EventCode=7 |dedup ComputerName | chart count(ComputerName) over ComputerName by virus_defs'
Link to results: https://hostname:8000/app/Liberty/@go?sid=scheduler__pstamati__Liberty_QU5USVZJUlVTIC0gUmVwb3J0ZSBkZ...
Alert was triggered because of: 'Saved Search [ANTIVIRUS - Reporte de actualizacion (Servidores)]: number of events(57)'
<---------I´d like to receive only from here
ComputerName|140416r.|140417s.
AR-AVAYA-RT|0|1
AR-BES.Liberty.ar|0|1
AR-BSAS-AD1|0|1
AR-BSAS-AD2|0|1
AR-BSAS-DC1.Liberty.ar|0|1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can modify the alert_actions.conf file located at /etc/system/local
Add the following to the end of the file (or if there is already a "command=" setting replace it with the one below. This will remove the search query from the results and "should" remove the URL (haven't tested it yet).
command = sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sslink=$results.url{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$maxinputs{default=1000}$" maxtime="$action.email.maxtime{default=5m}$" _validate-1 = action.email.sendresults, validate( is_bool('action.email.sendresults'), "Value of argument 'action.email.sendresults' must be a boolean")
To get rid of the "Saved search results." you can edit the sendemail.py file to remove that text. Currently looks like below in the file. If someone knows a better way to not have it show up please let me know.
intro += "Saved search results.\n\n"
Might have to restart splunk after the change is made.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Above solution doesn't work for me (Splunk 5.0.4) but I found a way to accomplish this very nicely by changing just one file instead of two
Edit ../etc/apps/search/bin/sendemail.py and comment out lines #189-213 as shown below.
(you'll need to change the file permissions from read-only first)
No need to restart Splunk, the change will be picked up at the next Alert
The "inline" alerts will show only the search results without any additional text.
The PDF or CSV alerts are not impacted by this change
sendemail.py section.....line 189
# else:
# intro += "Saved search results.\n\n"
# if settings != None:
# user = settings.get("user", None)
# if user:
# intro += "User: \'" + escape(user, plainText) + "\'\n"
# if ssName:
# intro += "Name: \'" + escape(ssName, plainText) + "\'\n"
# query = getarg(argvals, "ssquery", None)
# if query:
# intro += "Query Terms: \'" + escape(query, plainText) + "\'\n"
# ssLink = getarg(argvals, "sslink", None)
# if ssLink and not plainText:
# ssLink = "<a href=\"" + ssLink + "\">" + ssLink + "</a>"
# if ssLink:
# intro += "Link to results: " + ssLink + "\n";
# ssSummary = getarg(argvals, "sssummary", None)
# if ssSummary:
# intro += "Alert was triggered because of: \'" + escape(ssSummary, plainText) + "\'\n"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can modify the alert_actions.conf file located at /etc/system/local
Add the following to the end of the file (or if there is already a "command=" setting replace it with the one below. This will remove the search query from the results and "should" remove the URL (haven't tested it yet).
command = sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sslink=$results.url{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$maxinputs{default=1000}$" maxtime="$action.email.maxtime{default=5m}$" _validate-1 = action.email.sendresults, validate( is_bool('action.email.sendresults'), "Value of argument 'action.email.sendresults' must be a boolean")
To get rid of the "Saved search results." you can edit the sendemail.py file to remove that text. Currently looks like below in the file. If someone knows a better way to not have it show up please let me know.
intro += "Saved search results.\n\n"
Might have to restart splunk after the change is made.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awsome!! Many Thanks
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
