You can configure email notifications when you save a search as an alert. You can also configure email notifications for when editing an alert's actions. The procedure is the same in both cases.
After running a search, save the search as an alert and configure email notification settings.
1) Run the search. 2) Select **Save As > Alert.** 3) Provide a Title and other information about the alert. 4) From the Add Actions menu, select Send email.
5) Specify the following: To, CC, and BCC email recipients. Specify a comma-separated list of email recipients. Priority Enforcement of priority depends on your email client. Subject Message Include You can include the following items: Information about the search Link to the alert Search string Trigger condition Trigger time Information about search results Link to results Inline listing of results, as a table, raw events, or CSV file Results as a PDF attachment Results as a CSV attachment Type Select HTML & Plain Text (multi-MIME message) or Plain Text 6) Specify other alert actions.
See set up alert actions for more information.
7) Click Save.
to complete what i am saying click on http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Emailnotification
you can also use Sendemail command to use it see this link :
while i running the query
sourcetype="rum" u=* |where t_done >10000 | sendemail to="example.com".
I get this error
command="sendemail", [Errno 11004] getaddrinfo failed while sending mail to: example.com.
what Can i do?
look at the following example
Send an email notification with a PDF attachment, a message, and raw inline results. index=_internal | head 5 | sendemail firstname.lastname@example.org server=mail.example.com subject="Here is an email from Splunk" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true