I have an alert_actions.conf being ignored


I have an alert_actions.conf file that is pushed out to our search heads via deployment server. All of the settings (hostname, mailserver, from) are being ignored when in the app context. If I move the same file into $SPLUNK_HOME/etc/system/local, everything works.

I ran "splunk cmd btool alert_actions list" and the output is identical no matter where I put alert_actions.conf. In both cases, it looks like the settings are correct.

Any ideas on why this doesn't work?

Labels (1)
Tags (1)


Add a local.meta file to "alertactionappname/metadata" with the following stanza:

export = system

this will do the job and solve the problem


Don't forget to do SHC rolling restart, you can also put in default.meta

0 Karma

Path Finder

Antonio (my splunk homey) went through this - the answer is in precedence and I don't think it's a bug.


alert_actions.conf is effective at app/user scope - not global.

if you deliver alert_actions.conf to an instance in an app ON ITS OWN - it will have no effect.

If you deliver it into an app which has search configurations (where you are generating reports you wish to email) - it works exactly as defined.

The access URL tells you which scope you're in. I have put an alert_actions.conf in

I can configure it from the GUI if I want from this url:

If I want to email searches from within the search app - I must place the file in

and i configure it from the gui using this URL:

Its scope of effect is 'app/user', not global.

A user can provide his own alert_actions.conf - but again, it's in the userdir for a specific app, not for all apps.


Splunk Employee
Splunk Employee

Any thoughts on if it can be made global using an export = system in the default.meta of a custom app?

0 Karma

Path Finder

It is highly unlikely splunk changed the precedence rules for that file between releases. Antonio tested it on 5.* and saw the same behaviour...

0 Karma

Splunk Employee
Splunk Employee

That may be for 6*, but is it different for 5*?

0 Karma

Splunk Employee
Splunk Employee

SPL-55476 was never validated and it is not a valid bug.
I have it working on 5.0.5, splunk is connecting to mailserver indicated below


/opt/SPLUNK/5.0.5-DS/splunk $ cat etc/deployment-apps/testDeployApp/local/alert_actions.conf 
auth_password = $1$d2gP+53E8tz
auth_username =
mailserver =
reportServerURL = 
from =


   /opt/SPLUNK/5.0.5-DC/splunk/bin $ ./splunk btool alert_actions list email --debug | egrep -o 'alert_action.*' | egrep -v command
alert_actions.conf [email]
alert_actions.conf auth_password = $1$ndCtP+qYE8tz
alert_actions.conf auth_username =
alert_actions.conf           bcc = 
alert_actions.conf           cc = 
alert_actions.conf           format = html
alert_actions.conf from =
alert_actions.conf           hostname = 
alert_actions.conf           inline = 0
alert_actions.conf mailserver =
alert_actions.conf           maxresults = 10000
alert_actions.conf           maxtime = 5m
alert_actions.conf           pdfview = 
alert_actions.conf           preprocess_results = 
alert_actions.conf           reportCIDFontList = gb cns jp kor
alert_actions.conf           reportIncludeSplunkLogo = 1
alert_actions.conf           reportPaperOrientation = portrait
alert_actions.conf           reportPaperSize = letter
alert_actions.conf           reportServerEnabled = false
alert_actions.conf reportServerURL = 
alert_actions.conf           sendpdf = 0
alert_actions.conf           sendresults = 0
alert_actions.conf           subject = Splunk Alert: $name$
alert_actions.conf           to = 
alert_actions.conf           track_alert = 1
alert_actions.conf           ttl = 86400
alert_actions.conf           use_ssl = 0
alert_actions.conf           use_tls = 0
alert_actions.conf           width_sort_columns = 1



I found the same exact issue on my Splunk Server. This seems to be a bug with Splunk where the Splunk Search Head only recognizes alert_actions.conf in the local (/opt/splunk/etc/system/local) config directory.

Submitted a bug report.

Splunk Employee
Splunk Employee

I don't see SPL-55476 listed on Has this been listed as a known issue or fixed?

0 Karma

Splunk Employee
Splunk Employee

Splunk bug SPL-55476 was created to address this issue. Thanks everyone that continues to reference this answer post.

0 Karma


Support Case # 84640 for this issue.

0 Karma


@ddeighton it might be an idea for you to also file a bug report just so Splunk are aware it is aflicting more than one user, also they may find multiple data sources on the bug helpful -> if @cbowles could share his support ref then you could include that within your ticket so they can link the two issues quickly.

0 Karma


Thanks, cbowles, for confirming the problem and filing the bug report.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...