Alerting

How to set alert emails to send in plain text in splunk 6?

a212830
Champion

Hi,

In Splunk 5, there was an option for sending plain text for emails. I don't see that option anywhere in Splunk 6. How do I set that? The system settings had "Results format when included inline". That option is now gone.

Tags (3)
0 Karma

MuS
Legend

Hi a212830,

you're lucky, because I have a good day ... here is how you can fix your problem 😉

In etc/apps/search/bin/ you will find the sendemail.py script which handles the alerts email. Backup Backup Backup Backup Backup Backup Backup Backup Backup Backup this script and bofore I forget it, make a Backup of this script. Open it by using your favorite editor, navigate to line 341 which should look like this:

 buildHTMLBody(ssContent, resultsWithRenderedTime, settings, emailAlt, jobCount)

now simply comment this line out like this:

 #buildHTMLBody(ssContent, resultsWithRenderedTime, settings, emailAlt, jobCount)

and magically all future alert will be text-only emails.
Tested and working with all kind of attachments and report features in Splunk 6.1.1.

Thanks for all the fish ... ah no, kudos and remember: you break something, you fix it 🙂
Also be aware, that any future update of Splunk could revert the sendemail.py to the default one!

cheers, MuS

tweaktubbie
Communicator

Tried it on 6.4.2 but resulted in "External search command 'sendemail' returned error code 1. "
Replacing it with the original .py (no restarts etc required) makes it work again immediately.
Can you confirm this workaround still is applicable and more specific as below?

    if content_type == 'html':
        #buildHTMLBody(ssContent, resultsWithRenderedTime, settings, emailBody, jobCount)
    buildHeaders(argvals, ssContent, email, sid, serverInfoContent)
    #attach attachments
0 Karma

MuS
Legend

Hi tweaktubbie,

the latest version of Splunk support HTML or plain text by default http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Emailnotification

But if you still need to change the python script sendemail.py manually make sure the python intention do match (Python is picky on spaces or tabs usage) also check the python.log in Splunk for any errors.

You can also run the script like this to see what is going on:

$SPLUNK_HOME/bin splunk cmd python $SPLUNK_HOME/etc/apps/search/bin/sendemail.py add here any option you need

cheers, MuS

tweaktubbie
Communicator

Great tip thnx, indeed a tab was needed for the # out part 😉

0 Karma

kfeeney_splunk
Splunk Employee
Splunk Employee

All emails in Splunk 6.1 are sent as multipart emails that include both text and html.

0 Karma

grijhwani
Motivator

I'll tell you why - v6 relies a lot on whizz-bang, pretty, pretty to impress, rather than the operating simplicity of previous versions. Not offering the option to suppress pushes the same hollow conjurations into the e-mail alerts. They want the e-mails to wow the the board-level people who sign the cheques. It's good for the brand and revenues, even if it's a pain for the real users.

It's not uncommon, these days, for some features to be designed primarily to dazzle the layman suits with the purse strings.

0 Karma

tweaktubbie
Communicator

Anyone in the meantime found a way to fix this multipart thing? It seems Splunk is ignoring this 'works as designed' issue for over two years. I wouldn't mind hacking one file but I don't want have the issue back after patching or updating. Even if it'd mean ALL mail alerts are plain text, there has to be some mail server functionality possible for really plain plain text, not some multipart message. A specific filter [SMS*] in some alert config file for specific alerts, or a mail profile to be used for specific alerts?

0 Karma

a212830
Champion

Anyone find a work-around on this? I don't understand why Splunk would do this - many people want plain text emails, and to just take away that functionality is very short-sighted.

0 Karma

a212830
Champion

That stinks. Many alerting systems expect emails to be plain text, and this puts a burden on them to parse it.

0 Karma

a212830
Champion

Anyone? Please don't tell me that they don't support plain text.

0 Karma

tweaktubbie
Communicator

Speaking from our 6.4.2 under the alert, there's Alert actions - Click to edit actions. You can now choose the Plain Text button. However as annoying as it is, it still does send a multimime-kind of message, which means it'll display in your mail client a plain text mail without HTML. Forwarding it to an SMS / messaging service is still impossible, as it'll display the characters of the mail source.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...