Reporting

Is it possible to create a footer with the sendemail command?

Path Finder

I have a Splunk scheduled report that sends a summary of events if the event count is greater than 0 for the search. Since this report rarely reports events, it doesn't need to be set up as an alert. When the report does produce results, staff need to follow up on the activity. I would like to do this with the sendemail command as well as Scheduled Reports.

I have the scheduled report E-Mail action configured to include a message that is a brief statement as to the general meaning of the report. The results of the search are in table format and included inline, appearing below the line of the text entered into the Message Text Box.

I would like additional text to appear below the inline text, something like a footer. The text would include a line of text followed by a second line including an URL. The intention is to provide a link directly to online documentation for a product that deals with the investigation and possible requirement to resolve an issue related to the events reported in the search.

Including all this information in the Message Text Box works, but my question is related to the formatting of messages in Splunk. There are other instances and reasons I can think of where it would be desirable for aesthetics, but not essential to function, to have the inline results sandwiched between paragraphs of text. This may be a Product Enhancement Request.

Thank you

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Splunk provides following two attributes which can be customized in an email alert (can be configured in savedsearches.conf)

action.email.message.report AND action.email.message.alert  - email body which appears before the in-line results. Can be configured from Splunk Web UI. 

action.email.footer.text - email footer that appears after the in-line results. Can only be configured via conf files. Can be set for a single search via savedsearches.conf OR for all searches using alert_actions.conf

See these for more details
http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...
http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/savedsearchesconf#savedsearches.conf.example
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Alertactionsconf

View solution in original post

SplunkTrust
SplunkTrust

Splunk provides following two attributes which can be customized in an email alert (can be configured in savedsearches.conf)

action.email.message.report AND action.email.message.alert  - email body which appears before the in-line results. Can be configured from Splunk Web UI. 

action.email.footer.text - email footer that appears after the in-line results. Can only be configured via conf files. Can be set for a single search via savedsearches.conf OR for all searches using alert_actions.conf

See these for more details
http://docs.splunk.com/Documentation/Splunk/6.4.0/Alert/Emailnotification#Configure_email_notificati...
http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/savedsearchesconf#savedsearches.conf.example
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Alertactionsconf

View solution in original post

Path Finder

Thank you somesoni2.

While I was aware of the notification settings, I had not considered/understood that I would include tokens in the text. This would allow me to use a standard global default footer with the ability to modify it with the token.

I was unaware of the savedsearches.conf file and the additional ability to modify the footer of the message as well as the optional PDF report.

RNB

0 Karma