All Apps and Add-ons

How to update the results and view links in the Alert Manager email?



I am using Splunk 6.3.3 with the Alert Manager app (version 2.0.5) for alert distribution. Everything is working as expected except, the results and view links in the email body are incorrect. The splunkweb is running in SSL mode and we also have a load balancer in front of the search head. The links generated in the email body are http instead of https and the hostname is the server name instead of the load balancer cname. I updated the alert_actions.conf file under both the /etc/system/local and /etc/apps/alert_manager/local locations by adding the intended hostname value but it didn't make any difference.

Has anyone figured this out?


Splunk Employee
Splunk Employee

Have you found any solution for this issue?

0 Karma

Esteemed Legend

Set the hostname option in alert_actions.conf:

hostname = [protocol]<host>[:<port>]
* Sets the hostname used in the web link (url) sent in alerts.
* This value accepts two forms.
  * hostname
       examples: splunkserver,
  * protocol://hostname:port
       examples: http://splunkserver:8000,
* When this value is a simple hostname, the protocol and port which
  are configured within splunk are used to construct the base of
  the url.
* When this value begins with 'http://', it is used verbatim.
  NOTE: This means the correct port must be specified if it is not
  the default port for http or https.
* This is useful in cases when the Splunk server is not aware of
  how to construct an externally referenceable url, such as SSO
  environments, other proxies, or when the Splunk server hostname
  is not generally resolvable.
* Defaults to current hostname provided by the operating system,
  or if that fails, "localhost".
* When set to empty, default behavior is used.

This must be deployed to EVERY Search Head and all Splunk instances there need to be restarted before it will take effect.

0 Karma


Thats exactly what I have done on the search head where the saved searches run. I have restarted the splunk processes as well but it still doesn't work. The results and view links are not constructed using the hostname value I defined in the alert_actions.conf file.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!