Here's how I solved this.
I noticed that the savedsearch dhcpd_alert_new_mac_address_15m was configured to send an email every 15 minutes. By default, it sends email to example@example.org . That is a ton of email (96 incorrect emails per day?). This is viewable under "Splunk> Manager » Searches and reports » dhcpd_alert_new_mac_address_15m", and on the commandline at $SPLUNK_HOME/etc/apps/dhcpd/default/savedsearches.conf has this:
[dhcpd_alert_new_mac_address_15m]
action.email = 1
action.email.sendresults = 1
action.email.to = example@example.com
counttype = number of events
cron_schedule = */15 * * * *
description = Alerts on mac addresses seen in the last 15 minutes that were not in the dhcpd_mac-hostname lookup table
To disable this, I simply unchecked the box next to "Schedule this search". On the commandline, the following file was added to $SPLUNK_HOME/etc/apps/dhcpd/local/savedsearches.conf , and now the emails have stopped.
[dhcpd_alert_new_mac_address_15m]
disabled = 1
... View more