Is there a way to remove the splunk query from the email that is sent out? A lot of our emails go out to users, so we just want them to see the table of results and don't want them to get confused with the query that we ran.

I see an option to include the results. Is there no option to exclude the splunk query?

Thanks Hazel

Starting in Splunk 6.1, this ability is built into the product. Edit your search and look under the "Click to edit email action" link in the "Alert Actions" section. It's a simple check box you can uncheck. It's in the picture in step 4.


I have read the other posts for this as well as this one and the answers are not good ones. This should be an option in the UI.

Unfortunately there's no well supported way of doing this, but it's a good enhancement request to forward on to Customer Support.

If you are feeling daring, you can modify $SPLUNK_HOME/etc/apps/search/bin/ which renders emails. Note that any modifications will be overwritten on upgrade.


If you do modify the script, DON'T modify it in-place. Instead, make a copy and override the sendemail command in the search app. There has been some discussion along these lines in some older threads, including this one --

