Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk alert mails and its content

Deepz2612
Explorer
‎03-22-2019 01:16 AM

Hi,

Is there a way to get the list of Splunk alert mails being sent and the mail body content pls.

Tags (1)
0 Karma
Reply

whrg
Motivator
‎03-22-2019 01:54 AM

Hello @Deepz2612,

I use the following Splunk search for listing all triggered email alerts:

index=_audit source=audittrail sourcetype=audittrail alert_actions=email
| eval _time=trigger_time
| rename ss_name as Alert severity as Severity triggered_alerts as Count
| eval Severity=case(Severity==1,"Info",Severity==2,"Low",Severity==3,"Medium",Severity==4,"High",Severity==5,"Critical")
| table _time,Alert,Severity,Count | sort -_time

About the mail body content: I don't think that Splunk logs the mail body. I could not find it anywhere in the internal indexes. I would suggest that you send your alerts to an additional email address for logging purposes. (You can specify multiple email addresses separated by commas in the alert's settings.)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...