I have an alert_actions.conf being ignored


I have an alert_actions.conf file that is pushed out to our search heads via deployment server. All of the settings (hostname, mailserver, from) are being ignored when in the app context. If I move the same file into $SPLUNK_HOME/etc/system/local, everything works.

I ran "splunk cmd btool alert_actions list" and the output is identical no matter where I put alert_actions.conf. In both cases, it looks like the settings are correct.

Any ideas on why this doesn't work?

Labels (1)
Tags (1)


Add a local.meta file to "alertactionappname/metadata" with the following stanza:

export = system

this will do the job and solve the problem


Don't forget to do SHC rolling restart, you can also put in default.meta

0 Karma

Path Finder

Antonio (my splunk homey) went through this - the answer is in precedence and I don't think it's a bug.


alert_actions.conf is effective at app/user scope - not global.

if you deliver alert_actions.conf to an instance in an app ON ITS OWN - it will have no effect.

If you deliver it into an app which has search configurations (where you are generating reports you wish to email) - it works exactly as defined.

The access URL tells you which scope you're in. I have put an alert_actions.conf in

I can configure it from the GUI if I want from this url:

If I want to email searches from within the search app - I must place the file in

and i configure it from the gui using this URL:

Its scope of effect is 'app/user', not global.

A user can provide his own alert_actions.conf - but again, it's in the userdir for a specific app, not for all apps.


Splunk Employee
Splunk Employee

Any thoughts on if it can be made global using an export = system in the default.meta of a custom app?

0 Karma

Path Finder

It is highly unlikely splunk changed the precedence rules for that file between releases. Antonio tested it on 5.* and saw the same behaviour...

0 Karma

Splunk Employee
Splunk Employee

That may be for 6*, but is it different for 5*?

0 Karma

Splunk Employee
Splunk Employee

SPL-55476 was never validated and it is not a valid bug.
I have it working on 5.0.5, splunk is connecting to mailserver indicated below


/opt/SPLUNK/5.0.5-DS/splunk $ cat etc/deployment-apps/testDeployApp/local/alert_actions.conf 
auth_password = $1$d2gP+53E8tz
auth_username =
mailserver =
reportServerURL = 
from =


   /opt/SPLUNK/5.0.5-DC/splunk/bin $ ./splunk btool alert_actions list email --debug | egrep -o 'alert_action.*' | egrep -v command
alert_actions.conf [email]
alert_actions.conf auth_password = $1$ndCtP+qYE8tz
alert_actions.conf auth_username =
alert_actions.conf           bcc = 
alert_actions.conf           cc = 
alert_actions.conf           format = html
alert_actions.conf from =
alert_actions.conf           hostname = 
alert_actions.conf           inline = 0
alert_actions.conf mailserver =
alert_actions.conf           maxresults = 10000
alert_actions.conf           maxtime = 5m
alert_actions.conf           pdfview = 
alert_actions.conf           preprocess_results = 
alert_actions.conf           reportCIDFontList = gb cns jp kor
alert_actions.conf           reportIncludeSplunkLogo = 1
alert_actions.conf           reportPaperOrientation = portrait
alert_actions.conf           reportPaperSize = letter
alert_actions.conf           reportServerEnabled = false
alert_actions.conf reportServerURL = 
alert_actions.conf           sendpdf = 0
alert_actions.conf           sendresults = 0
alert_actions.conf           subject = Splunk Alert: $name$
alert_actions.conf           to = 
alert_actions.conf           track_alert = 1
alert_actions.conf           ttl = 86400
alert_actions.conf           use_ssl = 0
alert_actions.conf           use_tls = 0
alert_actions.conf           width_sort_columns = 1



I found the same exact issue on my Splunk Server. This seems to be a bug with Splunk where the Splunk Search Head only recognizes alert_actions.conf in the local (/opt/splunk/etc/system/local) config directory.

Submitted a bug report.

Splunk Employee
Splunk Employee

I don't see SPL-55476 listed on Has this been listed as a known issue or fixed?

0 Karma

Splunk Employee
Splunk Employee

Splunk bug SPL-55476 was created to address this issue. Thanks everyone that continues to reference this answer post.

0 Karma


Support Case # 84640 for this issue.

0 Karma


@ddeighton it might be an idea for you to also file a bug report just so Splunk are aware it is aflicting more than one user, also they may find multiple data sources on the bug helpful -> if @cbowles could share his support ref then you could include that within your ticket so they can link the two issues quickly.

0 Karma


Thanks, cbowles, for confirming the problem and filing the bug report.

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...