Reporting

Splunk alert mail is in plain text

c155969
New Member

I have configured an alert in Splunk Enterprise 6.6.3.
The alert itself works and I get the Email.
But the Email content is wrong it look like:

From: no.reply@test.com
Date: Mon, 21 May 2018 12:01:01 +0200
X-Priority: 3
X-Splunk-Name: My test error
X-Splunk-Owner: splunkuser
X-Splunk-App: TEST
X-Splunk-SID: scheduler_splunkuserTEST_RMD5f5ddfff38b8f486c_at_1526896860_9502
X-Splunk-ServerName: splunkserver
X-Splunk-Version: 6.6.3
X-Splunk-Build: e21ee54bc796
X-CompuMailGateway: Version: 6.00.4.17261.x86_64 COMPUMAIL Date: 20180521100101Z
Content-Type: multipart/mixed; boundary="===============1519125244710537315=="
This is a multi-part message in MIME format.
--===============1519125244710537315==
Content-Type: multipart/alternative;
boundary="===============0576424335523694884=="
MIME-Version: 1.0
--===============0576424335523694884==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
VGhlIGFsZXJ0IGNvbmRpdGlvbiBmb3IgJ015IHRlc3QgZXJyb3InIHdhcyB0cmlnZ2VyZWQgaW4gVEVTVCBlbnZpcm9ubWVudC4NCg0KYW4gcmVjZWl2ZXI6DQpPbi4u

What do I wrong?

0 Karma

c155969
New Member

Thanks for the answer. I checked this and do not see any conent_type Settings at all.
however, when I Change the alert Action in the Splunk-GUI to 'Plain Text' THEN I see the following when running btool:

/opt/splunk/etc/apps/TEST/local/savedsearches.conf action.email.content_type = plain

As soon as I Switch alert type Setting back to 'HTML & plain Text' in the gui the Content_type Setting disappers.
Is html the Default?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Check what's the content_type set for your alert email. You can run btool command on the search head where that alert search exists and see.

$Splunk_home/bin/splunk btool savedsearches list "YourAlertSearchNameHere" --debug

content_type = [html|plain]
* Specify the content type of the email.
  * plain sends email as plain text
  * html sends email as a multipart email that include both text and html.
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...