Alerting

Remove query and table header from Emails

Andruep
Engager

Is there any way to remove the query and table header information from alerts? I am aware of a previous question on the topic however there has not been a solution since that posting. Basically some of my alerts will be sent to smartphones and I would like to remove as much content as possible and only provide meaningful fields.

Tags (2)

kknopp
Path Finder

If I were to do something like the above, can I still have it trigger only if there are results? I have started using CASE recently, but that doesn't seem like an appropriate method here...

0range
Communicator

Really, seems like direct sendemail command disables all the alerting conditions, isn't it?

0 Karma

southeringtonp
Motivator

See also this earlier thread. A couple of possibilities:

  • Run a scheduled search, but instead of using the normal alert mechanism, call the sendemail command directly, e.g., |sendemail [email protected] subject="Something" sendresults=true
  • Roll your own version of the emailer script (see thread 6423 for more detail).
  • southeringtonp
    Motivator

    By default, it will use localhost as the mail server. If you want to use a remote server, you can add another parameter server=mail.yourdomain.com

    0 Karma

    Andruep
    Engager

    Thanks for the suggestion, however, I received the error below after adding the sendemail string to the end of my search.

    [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: [email protected].

    [email protected] is a filler email address. My actual email address was used.

    0 Karma
    Got questions? Get answers!

    Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

    Meet up IRL or virtually!

    Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

    Get Updates on the Splunk Community!

    Introducing ITSI 5.0: Unified Visibility and Actionable Insights

    Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

    Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

    Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

    From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

    Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...