Reporting

Is it possible to create a footer with the sendemail command?

RNB
Path Finder

I have a Splunk scheduled report that sends a summary of events if the event count is greater than 0 for the search. Since this report rarely reports events, it doesn't need to be set up as an alert. When the report does produce results, staff need to follow up on the activity. I would like to do this with the sendemail command as well as Scheduled Reports.

I have the scheduled report E-Mail action configured to include a message that is a brief statement as to the general meaning of the report. The results of the search are in table format and included inline, appearing below the line of the text entered into the Message Text Box.

I would like additional text to appear below the inline text, something like a footer. The text would include a line of text followed by a second line including an URL. The intention is to provide a link directly to online documentation for a product that deals with the investigation and possible requirement to resolve an issue related to the events reported in the search.

Including all this information in the Message Text Box works, but my question is related to the formatting of messages in Splunk. There are other instances and reasons I can think of where it would be desirable for aesthetics, but not essential to function, to have the inline results sandwiched between paragraphs of text. This may be a Product Enhancement Request.

Thank you

0 Karma
1 Solution

somesoni2
Revered Legend

Splunk provides following two attributes which can be customized in an email alert (can be configured in savedsearches.conf)

action.email.message.report AND action.email.message.alert  - email body which appears before the in-line results. Can be configured from Splunk Web UI. 

action.email.footer.text - email footer that appears after the in-line results. Can only be configured via conf files. Can be set for a single search via savedsearches.conf OR for all searches using alert_actions.conf

See these for more details
http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...
http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/savedsearchesconf#savedsearches.conf.example
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Alertactionsconf

View solution in original post

somesoni2
Revered Legend

Splunk provides following two attributes which can be customized in an email alert (can be configured in savedsearches.conf)

action.email.message.report AND action.email.message.alert  - email body which appears before the in-line results. Can be configured from Splunk Web UI. 

action.email.footer.text - email footer that appears after the in-line results. Can only be configured via conf files. Can be set for a single search via savedsearches.conf OR for all searches using alert_actions.conf

See these for more details
http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...
http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/savedsearchesconf#savedsearches.conf.example
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Alertactionsconf

RNB
Path Finder

Thank you somesoni2.

While I was aware of the notification settings, I had not considered/understood that I would include tokens in the text. This would allow me to use a standard global default footer with the ability to modify it with the token.

I was unaware of the savedsearches.conf file and the additional ability to modify the footer of the message as well as the optional PDF report.

RNB

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...