On Splunk 6.2.1.
We have many email alerts that are working fine (email alerts arrive as expected from firstname.lastname@example.org). However one of our alerts sends email from email@example.com. I do notice that whenever I make edits from the Splunk Web UI to this alert and click done, if I look in etc/apps/search/local/savedsearches.conf I see a line like:
action.email.from = firstname.lastname@example.org
I don't want this. There is no 'from' field in Splunk Web. If manually remove this line from the savedsearches.conf file, it is restored after my next edit from Splunk Web.
Our etc/system/local/alert_actions.conf is like:
[email] auth_password = ** auth_username = email@example.com mailserver = smtp.sendgrid.net:465 use_ssl = 1 hostname = splunk.corp.mycompany.com from = firstname.lastname@example.org
What am I missing? How can I set this alert to go out from email@example.com like all our other alerts?
I don't see anything different in the alert config, but including redacted version here for completeness:
[My Alert] action.email = 1 action.email.from = firstname.lastname@example.org # this line keeps coming back action.email.inline = 1 action.email.message.alert = Dev Spike needs attention! action.email.reportServerEnabled = 0 action.email.sendresults = 1 action.email.subject.alert = My Alert action.email.to = email@example.com action.email.useNSSubject = 1 alert.suppress = 1 alert.suppress.period = 60m alert.track = 1 counttype = number of events cron_schedule = */1 * * * * description = My Description dispatch.earliest_time = @m-1m dispatch.latest_time = @m display.events.fields = ["host","source","sourcetype","severity"] display.visualizations.chartHeight = 908 enableSched = 1 quantity = 0 relation = greater than request.ui_dispatch_app = search request.ui_dispatch_view = search search = ***
Specify Email Format settings.
Link hostname. The hostname for outgoing results URLs. Enclose IPv6 addresses in square brackets. For example, use [2001:db8:0:1].
Send emails as. (Optional) Specify a sender identification, used in the "From" email header field. Use an email address or a string. Strings are concatenated with "@", using the hostname specified in alert_actions.conf for the machine sending the email notification or "@localhost" if no hostname is specified. Defaults to "splunk@" or "splunk@localhost" if no hostname is specified.
Email footer. Footer for all emails. Use text and/or tokens.
Bottom line... of you don't want it to come back that way, tell it what it SHOULD be.
Thank you for your quick reply. In case I wasn't clear we have done Settings > Server settings > Email settings as described in http://docs.splunk.com/Documentation/Splunk/6.5.3/Alert/Emailnotification#Configure_email_notificati...
The values we set there are apparently saved by Splunk in the etc/system/local/alert_actions.conf which I listed above, most importantly the 'from = firstname.lastname@example.org'
All our other alerts go out from 'email@example.com' except this one which goes out from 'firstname.lastname@example.org'. There must be something special about this alert but I cannot see any difference. It may be older than the other alerts, created at a time when we did have 'from = email@example.com' but I don't see how that would matter now...
As an admin go to
Server settings ->
Email settings ->
Send emails as and set to proper value.
Update on this with additional interesting tidbits...
If I manually update [My Alert] in etc/users/robert/search/local/savedsearches.conf, set action.email.from = firstname.lastname@example.org, then:
We have many Splunk Reports that are schedule for nightly email delivery, and they ALL go out from email@example.com
Minor correction to original post: Some Alert emails go out with no sender at all. The behavior is consistent per alert - that is the alerts that go out from firstname.lastname@example.org or [no sender] always do so. Some Alerts go to:
email@example.com (as specified in etc/system/local/alert_actions.conf)
firstname.lastname@example.org (not sure why)
Thanks to Splunk tech support for solving this one for us, and apologies to anyone in Splunk Answers land who spent time trying to figure it out from the data presented - because I edited the offending data in my post. The problem was my actual 'action.email.to' looked more like this:
email@example.com,\n firstname.lastname@example.org,\n email@example.com
The linebreaks caused the unexpected behavior when sending email and saving the alert from Web UI. The Web UI inline help does state that email addresses should be 'comma separated', however comma + space works fine, so I would consider this a Splunk bug. And difficult to spot because linebreaks and word wrap in the email to field look pretty similar. But I'm happy now, all our alerts working fine.