Solved: How to edit the "From" address field for email not...

kkossery · ‎07-05-2017

This seems very simple enough. We have been trying to customize our From address field from splunk@host.com to something our exchange server allows like splunk@domain.com.

We tried manually editing the alert_actions.conf /usr/local/splunk/etc/system/local but haven't been able to force Splunk to send it from our domain. It looks like Splunk ignores this file altogether. Any guidance where we need to look?

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunk@domain.com

kkossery · ‎07-05-2017

Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com

View solution in original post

kkossery · ‎07-05-2017

Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com

Richfez · ‎07-05-2017

kkossery, I think you've answered your own question. I'd accept it if I were you. 🙂

somesoni2 · ‎07-05-2017

Look at this post to see if it's similar to yours. https://answers.splunk.com/answers/458343/how-to-change-the-from-address-when-an-alert-email.html

kkossery · ‎07-05-2017

Thanks. I did got through the link earlier.
Our Splunk sends out the email through a Postfix mail server so we can clearly see that Splunk is setting the email from field to splunk@host instead of splunk@domain from its mail logs. This makes us believe it is a Splunk issue.

sbbadri · ‎07-05-2017

you can do in search query too. like below

your base search | sendemail to=toaddress from=from address subject=subject server=server

kkossery · ‎07-05-2017

This seems to work on the search query. So the route for email delivery is clear. It doesn't work if you specify on the configuration files.

sbbadri · ‎07-05-2017

your configuration in alert_actions.conf seems correct. please check you have proper rw permission for your user and group on that file.

kkossery · ‎07-05-2017

Sorry. I may have jumped to conclusion too quickly. It doesn't seem to work still!

Any new alerts created still takes splunk@host instead of splunk@domain. The console and the alerts_actions.conf settings are the same.

The user 'splunk' has full read/write permissions 600 on the file and runs this application as the 'splunk' user.

sbbadri · ‎07-06-2017

just give like below,

[email]
 mailserver = 10.x.x.x
 pdf.header_left = none
 pdf.header_right = none
 from = splunk

i guess it automatically append domain name.

How to edit the "From" address field for email notifications?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life