Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Linux DHCP and emails
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In any case, you will want to change
the "Email address(es)" from
"example@example.com" to your desired
email address or distribution list.
This app is sending close to 100 messages every day. They all go to 'example@example.com' which is bouncing around the email system. By default email on most Linux systems will have the 'From:' address of 'splunk@somehost.yourorganization.org', which also goes nowhere (Or perhaps it goes to postmaster@yourorganization.org). This results in hundreds of double-bounced emails which remain in email purgatory.
How would one change this email address? I cannot find that setting anywhere.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's how I solved this.
I noticed that the savedsearch dhcpd_alert_new_mac_address_15m was configured to send an email every 15 minutes. By default, it sends email to example@example.org . That is a ton of email (96 incorrect emails per day?). This is viewable under "Splunk> Manager » Searches and reports » dhcpd_alert_new_mac_address_15m", and on the commandline at $SPLUNK_HOME/etc/apps/dhcpd/default/savedsearches.conf has this:
[dhcpd_alert_new_mac_address_15m]
action.email = 1
action.email.sendresults = 1
action.email.to = example@example.com
counttype = number of events
cron_schedule = */15 * * * *
description = Alerts on mac addresses seen in the last 15 minutes that were not in the dhcpd_mac-hostname lookup table
To disable this, I simply unchecked the box next to "Schedule this search". On the commandline, the following file was added to $SPLUNK_HOME/etc/apps/dhcpd/local/savedsearches.conf, and now the emails have stopped.
[dhcpd_alert_new_mac_address_15m]
disabled = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's how I solved this.
I noticed that the savedsearch dhcpd_alert_new_mac_address_15m was configured to send an email every 15 minutes. By default, it sends email to example@example.org . That is a ton of email (96 incorrect emails per day?). This is viewable under "Splunk> Manager » Searches and reports » dhcpd_alert_new_mac_address_15m", and on the commandline at $SPLUNK_HOME/etc/apps/dhcpd/default/savedsearches.conf has this:
[dhcpd_alert_new_mac_address_15m]
action.email = 1
action.email.sendresults = 1
action.email.to = example@example.com
counttype = number of events
cron_schedule = */15 * * * *
description = Alerts on mac addresses seen in the last 15 minutes that were not in the dhcpd_mac-hostname lookup table
To disable this, I simply unchecked the box next to "Schedule this search". On the commandline, the following file was added to $SPLUNK_HOME/etc/apps/dhcpd/local/savedsearches.conf, and now the emails have stopped.
[dhcpd_alert_new_mac_address_15m]
disabled = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way to do this right now is to edit each saved search manually. I will consider making this easier in a future version.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
