Hi.
Where can you configure the content of an Email sent?
For instance currently the alert looks like this
Saved search results.
Name: 'Service unavailable Test'
Query Terms: 'source=\"c:\\logs\\CA_IF_Log_File.log\" host=\"Test\"'
Link to results: http://splunk:8000/app/Rat_Stalling_Alerts/@go?sid=scheduler__admin_UmF0X1N0YWxsaW5nX0FsZXJ0cw_Rk5CI...
Alert was triggered because of: 'Saved Search [FNB UAT RAT (136)]: number of events(0)'
That's nice and all.
Instead i want my own specified content in the email.
Example
Saved search results.
Name: 'Service unavailable Test'
Possible downtime. Please investigate
That's all. I do not want all that other information.
Saved search results.
Name: 'Service unavailable Test'
Query Terms: 'source="c:logsCA_IF_Log_File.log" host="Test"'
Link to results: http://splunk:8000/app/Rat_Stalling_Alerts/@go?sid=scheduler__admin_UmF0X1N0YWxsaW5nX0FsZXJ0cw_Rk5CI...
Alert was triggered because of: 'Saved Search [FNB UAT RAT (136)]: number of events(0)'
All right, so complicated!
such a simple thing ans Splunk has no such tool???
edit the sendmail.py file and change the headings etc in $SPLUNK_HOME/etc/apps/search/bin/sendemail.py, but make sure you make a copy first and be careful!
You can just add a custom http link to the subject of the alert. Once fired, the link becomes clickable.
I use the script option but I was having issue with trying to get the data from the search into the email from the script option in the alert.
My solution is to have the alert kicks off a CLI search which dumps the output into a file that is the body of the crafted email. The use of the >> command appends the file so you can have custom comments like what you are asking for from above. Then once the email is fired off, at the end of the script you can copy over the file you just appended with base text.
I know this is a little redundant and can be cleaned up but I hope you get the idea.
Batch script:
@echo off
"%SPLUNK_HOME%\bin\splunk.exe" search "sourcetype=foo bar daysago=1 | table _time foobar | dedup _time" >> e:\email_body.txt
"email program commands to include the file as the body"
This will run the result twice and you needs to be concerned about time range depending on the schedules.
You can use "loadjob" command to call the latest scheduled search result in the script.
Here is a simple example;
http://wiki.splunk.com/Community:Search_Alert:_How_to_get_search_result_in_Scripted_Alert
There is a similar Answers thread here:
http://splunk-base.splunk.com/answers/621/email-alert-subject
Also points to external scripting as the solution.
To elaborate on Damien's comments, a custom script seems to be the only answer right now. There are a few solutions in the 'apps' area:
http://splunk-base.splunk.com/apps/22368/php-scripted-alerts
http://splunk-base.splunk.com/apps/22398/use-javamail-for-scripted-alerts
http://splunk-base.splunk.com/apps/22397/use-python-mail-for-scripted-alerts
Your best bet might well be configuring the alert to fire an external script that does the emailing, vs using the inbuilt emailing facility.
Your script has access to 9 different parameters with information about the alert event. And then you could further decorate this with your own custom content, format etc..
http://docs.splunk.com/Documentation/Splunk/5.0.1/Alert/Configuringscriptedalerts#Script_options
Hey there,
I'd like to +1 this with the addition that I would like to be able to put arbitrary content into the body of the email. Specifically, I'm looking to put links in the body to an internal knowledge base. Anyone working on this?
Regards.