I have an alert_actions.conf file that is pushed out to our search heads via deployment server. All of the settings (hostname, mailserver, from) are being ignored when in the app context. If I move the same file into $SPLUNK_HOME/etc/system/local, everything works.
I ran "splunk cmd btool alert_actions list" and the output is identical no matter where I put alert_actions.conf. In both cases, it looks like the settings are correct.
Any ideas on why this doesn't work?
Antonio (my splunk homey) went through this - the answer is in precedence and I don't think it's a bug.
alert_actions.conf is effective at app/user scope - not global.
if you deliver alert_actions.conf to an instance in an app ON ITS OWN - it will have no effect.
If you deliver it into an app which has search configurations (where you are generating reports you wish to email) - it works exactly as defined.
The access URL tells you which scope you're in. I have put an alert_actions.conf in
I can configure it from the GUI if I want from this url:
If I want to email searches from within the search app - I must place the file in
and i configure it from the gui using this URL:
Its scope of effect is 'app/user', not global.
A user can provide his own alert_actions.conf - but again, it's in the userdir for a specific app, not for all apps.
SPL-55476 was never validated and it is not a valid bug.
I have it working on 5.0.5, splunk is connecting to mailserver indicated below
/opt/SPLUNK/5.0.5-DS/splunk $ cat etc/deployment-apps/testDeployApp/local/alert_actions.conf [email] auth_password = $1$d2gP+53E8tz auth_username = firstname.lastname@example.org mailserver = smtp.mailprovider.com:2500 reportServerURL = from = email@example.com
/opt/SPLUNK/5.0.5-DC/splunk/bin $ ./splunk btool alert_actions list email --debug | egrep -o 'alert_action.*' | egrep -v command alert_actions.conf [email] alert_actions.conf auth_password = $1$ndCtP+qYE8tz alert_actions.conf auth_username = firstname.lastname@example.org alert_actions.conf bcc = alert_actions.conf cc = alert_actions.conf format = html alert_actions.conf from = email@example.com alert_actions.conf hostname = alert_actions.conf inline = 0 alert_actions.conf mailserver = smtp.mailprovider.com:2500 alert_actions.conf maxresults = 10000 alert_actions.conf maxtime = 5m alert_actions.conf pdfview = alert_actions.conf preprocess_results = alert_actions.conf reportCIDFontList = gb cns jp kor alert_actions.conf reportIncludeSplunkLogo = 1 alert_actions.conf reportPaperOrientation = portrait alert_actions.conf reportPaperSize = letter alert_actions.conf reportServerEnabled = false alert_actions.conf reportServerURL = alert_actions.conf sendpdf = 0 alert_actions.conf sendresults = 0 alert_actions.conf subject = Splunk Alert: $name$ alert_actions.conf to = alert_actions.conf track_alert = 1 alert_actions.conf ttl = 86400 alert_actions.conf use_ssl = 0 alert_actions.conf use_tls = 0 alert_actions.conf width_sort_columns = 1
I found the same exact issue on my Splunk Server. This seems to be a bug with Splunk where the Splunk Search Head only recognizes alert_actions.conf in the local (/opt/splunk/etc/system/local) config directory.
Submitted a bug report.
@ddeighton it might be an idea for you to also file a bug report just so Splunk are aware it is aflicting more than one user, also they may find multiple data sources on the bug helpful -> https://www.splunk.com/page/submit_issue if @cbowles could share his support ref then you could include that within your ticket so they can link the two issues quickly.