Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to include results in e-mail in raw format?

Simon
Contributor
‎04-21-2010 12:16 PM

Hi everybody

In Splunk 3.x we got the results attached to the email when running a scheduled a saved search in raw format. Unfortunately since Splunk 4.x these come in csv which is not that comfortable for us. Is there a way to change the format or do I have to place a feature request?

Regards, Simon

Reply

mohitvohra109
Explorer
‎01-06-2012 06:17 AM

Assuming that you are part of the Splunk Admin group; then yes it can be done.

  1. Log in to Splunk and then on top right corner of your screen you'll see the 'Manager' link.
  2. Click on it and then click the 'System Settings' link.
  3. There click on the 'Email alert settings' and you'll see a drop down next to 'Email Format'. Click on it and you can set it from csv to 'raw' as well
  4. Beneath that drop-down box you'll also see another combo box for 'Include results inline'. Make sure that the value selected beneath that combo box is 'Yes'.
  5. That's it. Now the next time you select the option 'include results in email' while scheduling the search it will come in raw format.

I can verify this on 4.1.6 as i used this to do the opposite; i.e. I wanted csv reports rather than inline raw text so this has worked for me. Hope this helps.

0 Karma
Reply

mohitvohra109
Explorer
‎01-06-2012 06:19 AM

When i say 'Splunk Admin group' i mean that you must be part of the AD group that grants you admin access on Splunk or that you have the required permissions to play with the 'System Settings' under the 'Manager' link.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎04-21-2010 06:01 PM

You can also specify the format on an alert-by-alert basis, in savedsearches.conf:

[mysearch]
action.email.format = raw

You should be able to override all system defaults from alert_actions.conf on an alert-by-alert basis in this format.

Reply

jrodman
Splunk Employee
Splunk Employee
‎03-16-2011 11:18 PM

The alert_actions.conf.spec file says "hey my actions spill through to savedsearches.conf". I thought savedsearches.conf indicated the same the other way. The settings are not all documented in duplicate in both locations. Perhaps we shoyld say something like action.* settings can be reviewed in alert_actions.conf.spec

0 Karma
Reply

the_wolverine
Champion
‎03-10-2011 12:49 AM

I've verified that setting action.email.format PER SEARCH works in 4.1.5. Still wondering why this useful feature is not documented.

0 Karma
Reply

the_wolverine
Champion
‎03-09-2011 07:41 PM

Is this a legitimate action in version 4.1.5? I ask because I don't see this action in the spec file.

0 Karma
Reply

the_wolverine
Champion
‎04-21-2010 05:18 PM

You can change the format system-wide by editing the alert_actions.conf file. The out-of-box default in version 4.1 is html:

# Specify the format of the text in the email as either: 
# html, raw, csv, plain. Remember that results are always attached in csv format
#
format = html
Reply

Simon
Contributor
‎04-21-2010 07:51 PM

Okay, didn't knew that changing the e-mail format also applies to any attachemets. But there is no option to let the users itself to specify the format when they do not have access to the config files?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...