Deployment Architecture

Why is the email icon not shown properly on Edit Alert screen when alert_actions.conf is deployed from the deployer?

hnoboru_splunk
Splunk Employee
Splunk Employee

I created an App, and deployed it with alert_actions.conf to Search Heads.
When I tried to set up an alert on a Search Head by the below procedures, Send email icon was not shown properly.

[Procedures to create an alert]

(1) Create a search
(2) Save As -> Alert
(3) On Save As Alert, click Add Actions
(4) Send email icon is not shown properly

[alert_actions.conf in the App]

[email]
reportCIDFontList = jp
use_ssl = 0
footer.text = My Footer
...

alt text

hnoboru_splunk
Splunk Employee
Splunk Employee

This issue happens because the stanza name must be unique and two apps cannot define the same alert action.
In this case, alet_actions.conf from the app has the precedence.
Try setting either one of the below.

[Method 1 : Set them up in savedsearches.conf]
Set up these in savedsearches.conf as below.

savedsearches.conf

[mySavedSearch]
action.email = 1
action.email.reportCIDFontList = jp
action.email.use_ssl = 0
action.email.footer.text = My Footer

[Method 2 : Set necessary email stanza settings in alert_actions in the App]
Set up necessary settings in email stanza in alert_actions in the App.
Please note this setting will affect other Apps.

For icon_path, just set file name, no need to put the whole path.
For the default icon, copy mod_alert_icon_email.png from the below location
to $SPLUNK_HOME/etc/apps/appName/appserver/static/.

alert_actions.conf

reportCIDFontList = jp
use_ssl = 0
footer.text = My Footer
...
icon_path = <fileName>
...

The location of mod_alert_icon_email.png from where the user needs to copy

$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/img/mod_alert_icon_email.png

[Reference]

https://docs.splunk.com/Documentation/Splunk/7.2.5/AdvancedDev/CustomAlertConfig 

Stanza naming 
Follow these guidelines when naming the alert action stanza. 
The stanza name must be unique. Two apps cannot define the same alert action.
The stanza name can contain only the following characters.
       - alphanumeric characters
       - underscores
       - hyphens
The stanza name cannot contain spaces.

savedsearches.conf

https://docs.splunk.com/Documentation/Splunk/7.2.5/Admin/Savedsearchesconf

alert_actions.conf
https://docs.splunk.com/Documentation/Splunk/7.2.5/Admin/Alertactionsconf

ablume
Explorer

Method 2 did the trick for our SHC, thanks!

0 Karma

yeahnah
Motivator

Linking to the workaround here, https://community.splunk.com/t5/Splunk-Enterprise/Troubleshooting-Invalid-Key-Stanza-alert-actions-c..., in case anyone else finds it useful

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...