Hi a212830,
you're lucky, because I have a good day ... here is how you can fix your problem 😉
In etc/apps/search/bin/
you will find the sendemail.py
script which handles the alerts email. Backup Backup Backup Backup Backup Backup Backup Backup Backup Backup this script and bofore I forget it, make a Backup of this script. Open it by using your favorite editor, navigate to line 341 which should look like this:
buildHTMLBody(ssContent, resultsWithRenderedTime, settings, emailAlt, jobCount)
now simply comment this line out like this:
#buildHTMLBody(ssContent, resultsWithRenderedTime, settings, emailAlt, jobCount)
and magically all future alert will be text-only
emails.
Tested and working with all kind of attachments and report features in Splunk 6.1.1.
Thanks for all the fish ... ah no, kudos and remember: you break something, you fix it 🙂
Also be aware, that any future update of Splunk could revert the sendemail.py
to the default one!
cheers, MuS
Tried it on 6.4.2 but resulted in "External search command 'sendemail' returned error code 1. "
Replacing it with the original .py (no restarts etc required) makes it work again immediately.
Can you confirm this workaround still is applicable and more specific as below?
if content_type == 'html':
#buildHTMLBody(ssContent, resultsWithRenderedTime, settings, emailBody, jobCount)
buildHeaders(argvals, ssContent, email, sid, serverInfoContent)
#attach attachments
Hi tweaktubbie,
the latest version of Splunk support HTML or plain text by default http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Emailnotification
But if you still need to change the python script sendemail.py
manually make sure the python intention do match (Python is picky on spaces or tabs usage) also check the python.log
in Splunk for any errors.
You can also run the script like this to see what is going on:
$SPLUNK_HOME/bin splunk cmd python $SPLUNK_HOME/etc/apps/search/bin/sendemail.py add here any option you need
cheers, MuS
Great tip thnx, indeed a tab was needed for the # out part 😉
All emails in Splunk 6.1 are sent as multipart emails that include both text and html.
I'll tell you why - v6 relies a lot on whizz-bang, pretty, pretty to impress, rather than the operating simplicity of previous versions. Not offering the option to suppress pushes the same hollow conjurations into the e-mail alerts. They want the e-mails to wow the the board-level people who sign the cheques. It's good for the brand and revenues, even if it's a pain for the real users.
It's not uncommon, these days, for some features to be designed primarily to dazzle the layman suits with the purse strings.
Anyone in the meantime found a way to fix this multipart thing? It seems Splunk is ignoring this 'works as designed' issue for over two years. I wouldn't mind hacking one file but I don't want have the issue back after patching or updating. Even if it'd mean ALL mail alerts are plain text, there has to be some mail server functionality possible for really plain plain text, not some multipart message. A specific filter [SMS*] in some alert config file for specific alerts, or a mail profile to be used for specific alerts?
Anyone find a work-around on this? I don't understand why Splunk would do this - many people want plain text emails, and to just take away that functionality is very short-sighted.
That stinks. Many alerting systems expect emails to be plain text, and this puts a burden on them to parse it.
Anyone? Please don't tell me that they don't support plain text.
Speaking from our 6.4.2 under the alert, there's Alert actions - Click to edit actions. You can now choose the Plain Text button. However as annoying as it is, it still does send a multimime-kind of message, which means it'll display in your mail client a plain text mail without HTML. Forwarding it to an SMS / messaging service is still impossible, as it'll display the characters of the mail source.