Reporting

How to edit the "From" address field for email notifications?

kkossery
Communicator

This seems very simple enough. We have been trying to customize our From address field from splunk@host.com to something our exchange server allows like splunk@domain.com.

We tried manually editing the alert_actions.conf /usr/local/splunk/etc/system/local but haven't been able to force Splunk to send it from our domain. It looks like Splunk ignores this file altogether. Any guidance where we need to look?

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunk@domain.com
0 Karma
1 Solution

kkossery
Communicator

Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com

View solution in original post

0 Karma

kkossery
Communicator

Somehow the changes on the alert_actions.conf doesn't reflect on Splunk but changes on the Email Settings under Settings -> Server Settings work.
The other thing you need to make sure is to have the 'hostname' entry on the file specified. If not, it will default to splunk@host.

[email]
mailserver = 10.x.x.x
pdf.header_left = none
pdf.header_right = none
from = splunkadmin
hostname = test.com

0 Karma

Richfez
SplunkTrust
SplunkTrust

kkossery, I think you've answered your own question. I'd accept it if I were you. 🙂

0 Karma

somesoni2
SplunkTrust
SplunkTrust

kkossery
Communicator

Thanks. I did got through the link earlier.
Our Splunk sends out the email through a Postfix mail server so we can clearly see that Splunk is setting the email from field to splunk@host instead of splunk@domain from its mail logs. This makes us believe it is a Splunk issue.

0 Karma

sbbadri
Motivator

you can do in search query too. like below

your base search | sendemail to=toaddress from=from address subject=subject server=server

kkossery
Communicator

This seems to work on the search query. So the route for email delivery is clear. It doesn't work if you specify on the configuration files.

0 Karma

sbbadri
Motivator

your configuration in alert_actions.conf seems correct. please check you have proper rw permission for your user and group on that file.

0 Karma

kkossery
Communicator

Sorry. I may have jumped to conclusion too quickly. It doesn't seem to work still!

Any new alerts created still takes splunk@host instead of splunk@domain. The console and the alerts_actions.conf settings are the same.

The user 'splunk' has full read/write permissions 600 on the file and runs this application as the 'splunk' user.

0 Karma

sbbadri
Motivator

just give like below,

[email]
 mailserver = 10.x.x.x
 pdf.header_left = none
 pdf.header_right = none
 from = splunk

i guess it automatically append domain name.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...