How to change the "FROM" address when alert emails...

adityapavan18 · ‎03-02-2015

As of now when email alerts are sent, the from address is the hostname of server sending the alert.
Is it possible to change that to a generic one like the internal splunk support team.

eg: As of now the from in email alerts is

splunk@reportingserver.com

Can i get it changed to

splunksupport@company.com

klemaned · ‎10-12-2018

[email]
from =

The @domain.com portion is applied by the email relay server

snethala_splunk · ‎02-27-2018

Create a file alert_actions.conf on the system/local of the SH, and have the below config, then restart.
cat /opt/splunk/etc/system/local/alert_actions.conf
[email]
from = splunksupport@company.com

Note: - This was an old question, providing a direct answer, than getting into docs and investigating.

Jasdeep · ‎06-06-2023

@snethala_splunk Thankyou, I had to struggle a lot before getting to this,
You can simply change sender's email address in below configuration and it worked for me.
/splunk/etc/system/local/alert_actions.conf

[email]
mailserver = localhost
pdf.header_left = none
pdf.header_right = none
from = Splunk@companyname.com

Before making config changes, you can test it out first to see its a valid email/company domain combination,
<your Search>| sendemail to= <your email> from= Splunk@companyname.com

s2_splunk · ‎03-02-2015

See the documentation for alertactions.conf here, specifically the from= attribute under the [email] stanza.

How to change the "FROM" address when alert emails are sent?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update