Solved: Re: Email Report format

hartfoml · ‎09-28-2011

I have an alert that sends an email every day at 6:00 AM that is formated in a table to show me the systems that have been rebooted in the last 24 hours.

in the email is the content of the search that was run:

Name: 'Server Restarts'
**Query Terms: 'index=main EventCode=1074 SourceName=\"USER32\" | rex field=_raw \"Comment:\s(?.)\" | rex field=Message \"The process\s(?<process>[^\s]+)\" | transaction host maxspan=5m | eval user_count=mvcount(User) | eval final_user=case(user_count == 1, User, user_count > 1, mvindex(User, user_count-1)) | eval process_count=mvcount(process) | eval final_process=case(process_count == 1, process, process_count > 1, mvindex(process, process_count-1)) | table time host final_user final_process comment | rename _time AS Time | convert timeformat=\"%m/%d/%Y. %H:%M:%S\" ctime(Time) | rename final_user AS Username | rename final_process AS \"Process name\" | rename comment AS \"Comment\"' Link to results: <a href="https://xxx.xxx.xxx.48:8000/app/search/@go?sid=scheduler">https://xxx.xxx.xxx.48:8000/app/search/@go... Alert was triggered because of: 'Saved Search [Server Restarts]: number of events(4)'** Time host Username Process name Comment 09/28/2011. 05:30:00 XXXWEB02 ESCG\cfldap winlogon.exe 60 09/28/2011. 05:00:03 XXXAPP03 NT AUTHORITY\SYSTEM PSSDNSVC.EXE 09/27/2011. 11:51:23 XXXUSERAPPS XXX\xxxxS Explorer.EXE 09/27/2011. 11:22:40 XXXAPP10 NT AUTHORITY\SYSTEM svchost.exe * I want the email to have only the tabel without the search text in bold above How do i get this info out of the email alert????

DerekB · ‎05-22-2014

Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Setupalertactions

View solution in original post

DerekB · ‎05-22-2014

Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Alert/Setupalertactions

CutieHoney · ‎02-15-2023

This answer appears to no longer be valid. Can you provide newer documentation on how to do this?

hjwang · ‎09-28-2011

This is quite easy. In Splunk, the e-mail alert is just triggered by saved-search then it will call the python script in $SPLUNK_HOME/etc/apps/search/bin/sendemail.py, and in this script, you can find part of code in mail function:

if pdfview:
    intro += 'Scheduled view delivery.\n\nA PDF snapshot has been generated for the view: %s.\n\n' % pdfview

else:
    intro += "Saved search results.\n\n"

    if settings != None:
        user  = settings.get("user", None)
        if user != None:
            intro += "User: \'" + user + "\'\n"

    ssName = argvals.get("ssname", None)
    if ssName != None:
        if not plainText:
            ssName = cgi.escape(ssName)
        intro += "Name: \'" + ssName + "\'\n"

    query = argvals.get("ssquery", None)
    **********************Here You Can comment the following 4th line**********************
    1.if query != None:
    2.    if not plainText:
    3.        query = cgi.escape(query)
    4.    intro += "Query Terms: \'" + query + "\'\n"
    ...
    ...

What is Email Report format?

email

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation