Reporting

How to edit the "From" address field for email notifications?

kkossery
Communicator

This seems very simple enough. We have been trying to customize our From address field from splunk@host.com to something our exchange server allows like splunk@domain.com.

We tried manually editing the alert_actions.conf /usr/local/splunk/etc/system/local but haven't been able to force Splunk to send it from our domain. It looks like Splunk ignores this file altogether. Any guidance where we need to look?

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunk@domain.com
0 Karma
1 Solution

kkossery
Communicator

Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com

View solution in original post

0 Karma

kkossery
Communicator

Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

kkossery, I think you've answered your own question. I'd accept it if I were you. 🙂

0 Karma

somesoni2
Revered Legend

kkossery
Communicator

Thanks. I did got through the link earlier.
Our Splunk sends out the email through a Postfix mail server so we can clearly see that Splunk is setting the email from field to splunk@host instead of splunk@domain from its mail logs. This makes us believe it is a Splunk issue.

0 Karma

sbbadri
Motivator

you can do in search query too. like below

your base search | sendemail to=toaddress from=from address subject=subject server=server

kkossery
Communicator

This seems to work on the search query. So the route for email delivery is clear. It doesn't work if you specify on the configuration files.

0 Karma

sbbadri
Motivator

your configuration in alert_actions.conf seems correct. please check you have proper rw permission for your user and group on that file.

0 Karma

kkossery
Communicator

Sorry. I may have jumped to conclusion too quickly. It doesn't seem to work still!

Any new alerts created still takes splunk@host instead of splunk@domain. The console and the alerts_actions.conf settings are the same.

The user 'splunk' has full read/write permissions 600 on the file and runs this application as the 'splunk' user.

0 Karma

sbbadri
Motivator

just give like below,

[email]
 mailserver = 10.x.x.x
 pdf.header_left = none
 pdf.header_right = none
 from = splunk

i guess it automatically append domain name.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!