Alerting

Use of the search "description" field in an alert email

raoul
Path Finder

Is it possible to make use of the search "description" field in an alert email?

From what I can see it does not seem to be one of the items passed into the mail delivery script. It would be most useful if it was as this would open up the possibility of including "what to do" information in the email that delivers the notification.

bmunson_splunk
Splunk Employee
Splunk Employee
0 Karma

sloshburch
Splunk Employee
Splunk Employee

It looks like there is a [very annoying] way to do this.

The alert_actions.conf define the command sent to the sendmail command (which appears to have many options/params other than what's documented). That sendmail command doesn't outline how the body of the email is formed - that is done in the respective python file.

You could edit and make your own python file for sendmail BUT I assume that's not a best practice because any update of splunk will overwrite yours OR add new features which means you'll have to re-edit the sendmail.py file or not take advantage of the new features.

An alternate approach I've gotten to work is that I copied the 'command' attribute from the default/alert_actions.conf and added it to my own local version of alert_actions.conf. Then I've edited this ssname=$name$ to be "ssname=$name$ Description: $description$" I'm still playing with formatting (making it go on a new line etc...

You can obviously use your own app scoping to change the impact of this - for example, I'm adding this to my global app so the description is added to all emails in our environment.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Looks like it's going to be hard to add any formatting because the python script escapes the text:
'if ssName:
intro += "Name: \'" + escape(ssName, plainText) + "\'\n"'

I don't really want to edit the python script (because of aforementioned reasons) so if anyone thinks of a workaround, please share!

0 Karma

manikdham
Path Finder

where do you make these changes

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Either the subject line in the UI (just put the value, not the "action.email.subject = ") OR in the savedsearch.conf with the full string bmunson_splunk suggested.

0 Karma

bmunson_splunk
Splunk Employee
Splunk Employee

Yes, but by default, it only goes in the subject.
I use the following to make the subject include the description.

action.email.subject = Splunk Alert: $name$ ~ $description$

I have also written a script to break the subject on the ~ character and then embeds the description into the body of the email. It works but I would prefer it is splunk allowed it natively with a multi-line rich text description.

sloshburch
Splunk Employee
Splunk Employee

I like the way you phrased your request "multi-line rich text" - Have you submitted a feature request on this? It sounds like a well thought out feature request.

somnathnag
Engager

I am facing the same issue. I am trying to split the subject in the sendmail.py file, not sure if it is correct.
Also, can you post your script here?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...