Hi everybody
In Splunk 3.x we got the results attached to the email when running a scheduled a saved search in raw format. Unfortunately since Splunk 4.x these come in csv which is not that comfortable for us. Is there a way to change the format or do I have to place a feature request?
Regards, Simon
Assuming that you are part of the Splunk Admin group; then yes it can be done.
I can verify this on 4.1.6 as i used this to do the opposite; i.e. I wanted csv reports rather than inline raw text so this has worked for me. Hope this helps.
When i say 'Splunk Admin group' i mean that you must be part of the AD group that grants you admin access on Splunk or that you have the required permissions to play with the 'System Settings' under the 'Manager' link.
You can also specify the format on an alert-by-alert basis, in savedsearches.conf:
[mysearch]
action.email.format = raw
You should be able to override all system defaults from alert_actions.conf on an alert-by-alert basis in this format.
The alert_actions.conf.spec file says "hey my actions spill through to savedsearches.conf". I thought savedsearches.conf indicated the same the other way. The settings are not all documented in duplicate in both locations. Perhaps we shoyld say something like action.* settings can be reviewed in alert_actions.conf.spec
I've verified that setting action.email.format PER SEARCH works in 4.1.5. Still wondering why this useful feature is not documented.
Is this a legitimate action in version 4.1.5? I ask because I don't see this action in the spec file.
You can change the format system-wide by editing the alert_actions.conf file. The out-of-box default in version 4.1 is html:
# Specify the format of the text in the email as either:
# html, raw, csv, plain. Remember that results are always attached in csv format
#
format = html
Okay, didn't knew that changing the e-mail format also applies to any attachemets. But there is no option to let the users itself to specify the format when they do not have access to the config files?