- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to achieve plain text email alerts in Splunk E...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or, alternatively, how to ensure that the "alternative plain text version" comes through?
From the 6.2.5 documentation on alert_actions.conf:
format = [table|raw|csv]
* Specify the format of inline results in the email.
* Acceptable values: table, raw, and csv.
* Previously accepted values plain and html are no longer respected
* and equate to table.
* All emails are sent as HTML messages with an alternative plain text version.
I am not seeing an alternative plain text version dispatched alongside or as an attachment to HTML email alerts in our deployment at our organization. What avenues can I explore here? I'd rather not hack up sendemail.py, but if I have to, any pointers there would be appreciated as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The answer is that all alert emails are sent as multi-part mime-encoded, which is technically not pure plain text but most readers in plain text mode should not have an issue displaying alerts/result sets in plain text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The answer is that all alert emails are sent as multi-part mime-encoded, which is technically not pure plain text but most readers in plain text mode should not have an issue displaying alerts/result sets in plain text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try calling your own mail script. You can use the following perl script as a starting point:
#!/usr/bin/perl -w
use strict; use warnings; use diagnostics;
my ($myPath, $myName) = $0 =~ m/(.*)[\\\/](.+)/ ? ($1, $2) : ("./", $0);
# Parameters passed in from Splunk's alert
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.
#my $searchCount = $ARGV[0]; # $1 searchCount - Number of events returned
#my $searchTerms = $ARGV[1]; # $2 searchTerms - Search terms
my $Description = $ARGV[2]; # $3 searchQuery - Fully qualified query string
my $AlertName = $ARGV[3]; # $4 searchName - Name of saved search
#my $searchReason = $ARGV[4]; # $5 searchReason - Reason saved search triggered
#my $Description = $ARGV[5]; # $6 searchURL - URL/Permalink of saved search
#my $searchTags = $ARGV[6]; # $7 searchTags - Always empty <= v6.1.1
my $searchPath = $ARGV[7]; # $8 searchPath - Path to search-head results
mail -s "Splunk plain-text emai for $AlertName=$Description" user@example.com < $searchPath
exit 0;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is less than ideal as I don't have the means to test outside of our production environment at the moment. I'd also prefer to keep Splunk's script intact as it seems quite robust, and furthermore future updates would not break functionality. Any idea why the alternative plain text versions are not coming through?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
