Out of the box Splunk's email system escapes all HTML elements, so if you used <b>this is bold</b>
it would appear literally.
You can change that behaviour quick and dirty by making a backup of etc/apps/search/bin/sendemail.py, modifying the original by changing ${msg|h}
to ${msg}
in line 672, and then using HTML in your alert email texts.
HOWEVER, you have to be aware of a few things:
A nicer way would be to write a custom alert action as a kind of "advanced sendemail" without the escaping of HTML elements, and only grant permission to this to advanced users. That wouldn't be global, would survive upgrades, would be shareable on splunkbase, but would be a bit more effort.
Out of the box Splunk's email system escapes all HTML elements, so if you used <b>this is bold</b>
it would appear literally.
You can change that behaviour quick and dirty by making a backup of etc/apps/search/bin/sendemail.py, modifying the original by changing ${msg|h}
to ${msg}
in line 672, and then using HTML in your alert email texts.
HOWEVER, you have to be aware of a few things:
A nicer way would be to write a custom alert action as a kind of "advanced sendemail" without the escaping of HTML elements, and only grant permission to this to advanced users. That wouldn't be global, would survive upgrades, would be shareable on splunkbase, but would be a bit more effort.
Adding to Martin's point, you may as well create a scripted solution which will give you more flexibility.
Moreover if you are just copying the sendemail.py to your own app it will not be overwritten upon upgrade but may malfunction upon the original sendemail.py structure change for on splunk instance. I have been following the same method for colors, font, resizing text + own scripted alerts.
Hi Linu1988, Thanks for the response!Can you share the script for resizing text.
If you have a solution built, do consider sharing that on splunkbase 🙂