Alerting

How to control email sender's displayed name at receiver's inbox from all members in our search head cluster?

Builder

We have 4 servers in a search head cluster. When we receive Splunk alerts from 3 out of 4 servers, they are displayed as received From "Splunk Alert". Emails from the last server are displayed as From splunk@hostname
All 4 servers have identical $SPLUNKHOME/etc/system/default/alertactions.conf and local/alertactions.conf files:
1) ...default/alert
actions.conf:

   "...# from email address (name only, host will be appended automatically from mailserver)
     from=splunk
     subject                 = Splunk Alert: $name$
     subject.alert   = Splunk Alert: $name$
     subject.report  = Splunk Report: $name$
     useNSSubject    = 0"

2) ...local/alert_actions.conf:

    [email]
    from = splunk
    pdf.header_left = none
    pdf.header_right = none

Any ideas what might cause this situation? Our goal to receive emails from all 4 servers as from "Splunk Alert"
alt text

0 Karma
1 Solution

Builder

I've contacted our messaging team, explained the issue and as they said "it's easy to fix". They added that email address to Contact "Splunk Alert".

View solution in original post

0 Karma

Path Finder

The from in the email stanza defaults to splunk@$LOCALHOST but you can set it to anything. To have them send from the same address, just set them all to splunk@yourdomain. You can't set it through the UI in a cluster, it has to be done on the filesystem, but it works for us.

0 Karma

Builder

I've contacted our messaging team, explained the issue and as they said "it's easy to fix". They added that email address to Contact "Splunk Alert".

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

A stab in the dark: Does your email client's contact list know one of the email addresses as the full name "Splunk Alert"? If so, teach it the other emails as well.

0 Karma

Builder

@martin_mueller , and you are actually right about it.

After going through all the config files and comparing them on all 4 servers, checking os mail setting and mail logs without success, I came to the same conclusion as you! I've contacted our messaging team, explained the issue and as they said "it's easy to fix". They added that email address to Contact "Splunk Alert". Unfortunately, cannot force the alert to be sent from the server in question due few reasons, so waiting to a get a alert from it to confirm that it was solved

0 Karma

SplunkTrust
SplunkTrust

\o/

0 Karma

SplunkTrust
SplunkTrust

Compare the $SPLUNKHOME/etc/system/local/alertactions.conf files. That's where the difference is hiding.

Never change anything in a 'default' directory.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Builder

@richgalloway $SPLUNKHOME/etc/system/local/alertactions.conf files are also the same (just updated the question) on all 4 servers

0 Karma

SplunkTrust
SplunkTrust

Or run the btool command on alert_actions.conf with debug option to see what and where is the difference.

$SPLUNK_HOME/bin/splunk cmd btool alert_actions list --debug
0 Karma

Builder

@somesoni2, no difference found by running btool 😞

0 Karma