This seems very simple enough. We have been trying to customize our From address field from splunk@host.com to something our exchange server allows like splunk@domain.com.
We tried manually editing the alert_actions.conf /usr/local/splunk/etc/system/local but haven't been able to force Splunk to send it from our domain. It looks like Splunk ignores this file altogether. Any guidance where we need to look?
[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunk@domain.com
Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.
[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com
Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.
[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com
kkossery, I think you've answered your own question. I'd accept it if I were you. 🙂
Look at this post to see if it's similar to yours. https://answers.splunk.com/answers/458343/how-to-change-the-from-address-when-an-alert-email.html
Thanks. I did got through the link earlier.
Our Splunk sends out the email through a Postfix mail server so we can clearly see that Splunk is setting the email from field to splunk@host instead of splunk@domain from its mail logs. This makes us believe it is a Splunk issue.
you can do in search query too. like below
your base search | sendemail to=toaddress from=from address subject=subject server=server
This seems to work on the search query. So the route for email delivery is clear. It doesn't work if you specify on the configuration files.
your configuration in alert_actions.conf seems correct. please check you have proper rw permission for your user and group on that file.
Sorry. I may have jumped to conclusion too quickly. It doesn't seem to work still!
Any new alerts created still takes splunk@host instead of splunk@domain. The console and the alerts_actions.conf settings are the same.
The user 'splunk' has full read/write permissions 600 on the file and runs this application as the 'splunk' user.
just give like below,
[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunk
i guess it automatically append domain name.