Yes, if you look in $SPLUNKHOME$/etc/system/default/transforms.conf, you can see many examples of how to do it. Here is one of them: [octet] this would match only numbers from 0-255 (one octet in an ip) REGEX = 2(?:5[0-5]|[0-4][0-9])|[0-1][0-9][0-9]|[0-9][0-9]? [ipv4] matches a valid IPv4 optionally followed by :port_num the octets in the ip would also be validated 0-255 range Extracts: ip, port REGEX = (? [[octet]](?:\.[[octet]]){3})(?::[[int:port]])? ... View more

You would need to have a resource who can modify the default splunk python script, as this is the script that actually send the emails. It resides in: $SPLUNK_HOME/etc/apps/search/bin/sendemail.py I would advise making a copy of this script with another name Thoroughly test the script changes as this would affect all outgoing alerts. Once you wish to use the new python email script you can point splunk to use it by creating a $SPLUNK_HOME/etc/apps/search/local/commands.conf You will need a [sendemail] section to point to your new script. [sendemail] filename = your_sendemail.py streaming = false run_in_preview = false http://splunk-base.splunk.com/answers/2641/how-do-i-customize-scheduled-search-alert-emails ... View more

Found the issue! At some point during editing of the file, SYSTEM was removed from the ACL. Re-added SYSTEM with full permissions, restarted the agent and the data was recorded. On a side note, no errors were shown in splunkd.log, because Splunk couldn't even see the file to know that it didn't have permissions. ... View more