I'm on Splunk 5.0.2 and tried the above suggestion. It did work to remove the query results from my email messages, but did not remove the URL to the search. I also found that the above killed my ability to attach PDFs to any of my alerts. Once I removed the above, the PDF started working again.
I did a few things to clean up and simplify the email alerts. First, I modified the sendemail.py by customizing the intro+= that used to say the details of the search is below to: intro += "The Details of the Splunk Alert is below. If you need assistance, contact CIRT at CIRT@xx.xxx.gov:"
I then commented out the lines for the ssLink that links to the results. I just put a # in front of two lines, first the #if ssLink: and then the #intro += "Link to results: " + ssLink + "\n"; This removed the URLs from my email alerts.
Next I commented out the lines responsible for putting the query into the body of the email. Again, place a # in front of two lines, as shown below: #if query: and then the #intro += "Query Terms: \'" + escape(query, plainText) + "\'\n"
Now my email messages look like this:
The Details of the Splunk Alert is Below. If you need assistance, contact CIRT at CIRT@xx.xxx.GOV:
Name: 'SEP Alert - Malware Found'
Alert was triggered because of: 'Saved Search [SEP Alert - Malware Found]: number of events(1)'
The content is shown below inline. I confirmed that the .csv and the .pdf attachments will both work with this done as well.
I have not found any issues with any of my alerts doing it this way, but the nice thing is...all you have to do is remove the # signs in the code and you should be back in business if something stops working correctly. Also...FYI the backslashes do not appear in the text correctly, Splunk must not allow them in comments, so your code may look just a bit different than this example.
... View more