Alerting

How to achieve plain text email alerts in Splunk Enterprise 6.2.5?

tgord
Explorer

Or, alternatively, how to ensure that the "alternative plain text version" comes through?

From the 6.2.5 documentation on alert_actions.conf:

format = [table|raw|csv]
    * Specify the format of inline results in the email.
    * Acceptable values:  table, raw, and csv.
    * Previously accepted values plain and html are no longer respected
    * and equate to table.
    * All emails are sent as HTML messages with an alternative plain text version.

I am not seeing an alternative plain text version dispatched alongside or as an attachment to HTML email alerts in our deployment at our organization. What avenues can I explore here? I'd rather not hack up sendemail.py, but if I have to, any pointers there would be appreciated as well.

0 Karma
1 Solution

tgord
Explorer

The answer is that all alert emails are sent as multi-part mime-encoded, which is technically not pure plain text but most readers in plain text mode should not have an issue displaying alerts/result sets in plain text

View solution in original post

0 Karma

tgord
Explorer

The answer is that all alert emails are sent as multi-part mime-encoded, which is technically not pure plain text but most readers in plain text mode should not have an issue displaying alerts/result sets in plain text

0 Karma

woodcock
Esteemed Legend

Try calling your own mail script. You can use the following perl script as a starting point:

#!/usr/bin/perl -w
use strict; use warnings; use diagnostics;

my ($myPath, $myName) = $0 =~ m/(.*)[\\\/](.+)/ ? ($1, $2) : ("./", $0);

# Parameters passed in from Splunk's alert
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.
#my $searchCount = $ARGV[0]; # $1 searchCount  - Number of events returned
#my $searchTerms  = $ARGV[1]; # $2 searchTerms  - Search terms
 my $Description  = $ARGV[2]; # $3 searchQuery  - Fully qualified query string
 my $AlertName    = $ARGV[3]; # $4 searchName   - Name of saved search
#my $searchReason = $ARGV[4]; # $5 searchReason - Reason saved search triggered
#my $Description  = $ARGV[5]; # $6 searchURL    - URL/Permalink of saved search
#my $searchTags   = $ARGV[6]; # $7 searchTags   - Always empty <= v6.1.1
 my $searchPath  = $ARGV[7]; # $8 searchPath   - Path to search-head results

mail -s "Splunk plain-text emai for $AlertName=$Description" user@example.com < $searchPath

exit 0;
0 Karma

tgord
Explorer

This is less than ideal as I don't have the means to test outside of our production environment at the moment. I'd also prefer to keep Splunk's script intact as it seems quite robust, and furthermore future updates would not break functionality. Any idea why the alternative plain text versions are not coming through?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...