Hi p_gurav,

This seems intriguing. I will try and implement this and let you know my findings.

Thank you very much

If you are using Splunk ES and adaptive response of the Email, one approach [ not a clean one] would be to have 1 correlation search for specific host for informationawareness and another correlation search for rest of them and update the action.email.mailserver, it should still work.

Hi p_gurav,

Tried that. Doesn't work. I guess it has something to do with the configuration of the mail I'm trying to use. Unless I open the port on my search head and the mailbox server, and establish the basic SMTP connection, I won't be able to use it. Just wanted to figure out where should I put those SMTP settings in Splunk, I mean inside which configuration file. And how ill that stanze be designed in order to get it executed.

If you use Splunk Web then click on Settings->Saved Searches-> <Alert Name>-> Edit -> Advanced Edit and override action.email.from, by default Defaults to splunk@<LOCALHOST> (or whatever is set in alert_actions.conf).

Hi Harsh,

Tried that. Doesn't work since the SMTP server and settings of the mail id that I want trigger the alert from, informationawareness@mycompany.com, are different. From what I figure, I may need to specify the settings of the mail ID within my search head, so that Splunk reads and uses it for this particular alert, which is giving me the field "User email", and use the email addresses present inside the field and reply to them individually. I want all of the other emails going from Splunk using the default ID itself.

So based on your comment, I am assuming that you are running single schedule search which has User Email field and you want to send email to all those email id but you want different from email address for certain users(email id) only ??

Correct. I am running a scheduled search, which triggers conditions per event, picks out an email address from the User email field, and sends it a pre-drafted email. It does the same for all the email addresses which are produced when the search runs. But for this particular search, I want to use a different "from email address", which would be informationawareness@mycompany.com, instead of the default email address of Splunk, which in my case is abc_splunk@mycompany.com. I want all of my other searches to use the default email address of splunk, which is abc_splunk@mycompany.com, like they are doing as of now.

Can you please share your alert_actions.conf and savedsearch.conf for that particular search (Please mask/alter any sensitive data) from Search Head?

Hi Harsh,

Sorry for such a delay in response. Here is the savedsearch.conf.

[My_Search]
action.email = 1
action.email.include.search = 1
action.email.include.view_link = 0
action.email.inline = 1
action.email.sendcsv = 1
action.email.sendpdf = 1
action.email.sendresults = 1
action.email.to = senders
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.threat_add.param.verbose = 0
alert.track = 0

Here is the alert_actions.conf
[name of the alert]
from=splunk@localhost.com
to=$user_email$
subject="My subject as mentioned in the alert"
sendresults=1
inline=1
priority=5
mailserver=local mail server:port number as defined
sendpdf=1
sendcsv=1

Is SMTP servers for abc_splunk@mycompany.com and informationawareness@mycompany.com is different? Normally splunk used alert_actions.conf for storing this configurations.

Yes, both of them have different SMTP relay servers. I thought about the alert_actions.conf file, just am not sure on how to edit it to use just for this particular alert, and leave the default ID for the rest of the things.