Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to change the "From" address when an alert ema...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have 4 search head servers in search cluster. One of them was added recently.
When Splunk alerts come from "old" servers , they show "Splunk Alert splunk@servername.com" as a sender.
Splunk Alerts from a newly added server has just "splunk@servername.com". As a result, a recipient of the email sees this email address, not the name "Splunk Alert".
Cannot find where to change it. All servers have the same /opt/splunk/etc/system/default/alert_actions.conf
Thank you in advance for any suggestions.
UPDATE: the fix for the issue above was not Splunk related. The following splunk@ was added to existing Contact "Splunk Alerts" by our AD administrator.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2, just an update fyi. In our case the issue was resolved not through Splunk at all, but through our mail exchange settings. Apparently, we had a Contact called "Splunk Alerts" . Messaging administrator just added splunk@hostname.acml.com to that contact.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2, just an update fyi. In our case the issue was resolved not through Splunk at all, but through our mail exchange settings. Apparently, we had a Contact called "Splunk Alerts" . Messaging administrator just added splunk@hostname.acml.com to that contact.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The default from email address in newer versions is splunk@$LOCALHOST. You should be able to update the from email address by updating the alert_actions.conf file's [email] stanza. Refrain modifying any conf file in the directory /opt/splunk/etc/system/default/. It's a big no-no. You can create a file alert_actions.conf in the directory /opt/splunk/etc/system/local/ instead and add following :-
/opt/splunk/etc/system/local/alert_actions.conf
[email]
from = Splunk Alert splunk@hostname.acml.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under "old" - I meant servers that were already members of the cluster. All 4 servers have the same splunk version "6.3.3" and all 4 servers have the same line in [email] stanza:
from = splunk
But when email actually comes to a recipient , the "From" field looks different:
1. for newly added splunk search head it's
From splunk@hostname.com
Splunk Alert Test
2. From other search head servers it's
From Splunk Alert
Splunk Alert Test
Note: not of them has $SPLUNK_HOME/etc/system/local/alert_ations.conf version
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition, to my previous comment: when I put 'Splunk Alert' as 'from' in [email] stanza,
the system takes first word 'Splunk' and adds hostname by default. the second word 'Alert' is not used
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
