Re: Uniform Alert Sender for Splunk SHC

jaracan · ‎09-03-2020

Hi Splunkers,

We recently migrated to Splunk Search Head Clustering. We are using a Load Balancer in front of 3 Search Heads Clustered so that the users can access the set of search heads through a single interface, without needing to specify a particular one.

Now, we notice that the email alerts we received are coming randomly from any of the 3 Search Heads Clustered. It means the email alert sender for Splunk SHC comes from any 3 Search Heads Clustered. Is there a way to make it appear the alert is being sent by the load balancer name? So that once the users receives the alerts, the email alert sender is uniform.

richgalloway · ‎09-03-2020

Try going to Settings->Email settings and putting the load balancer's name in the "Link hostname" field. Do it on all search heads.

---
If this reply helps you, Karma would be appreciated.

Uniform Alert Sender for Splunk SHC

alert action

email

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation