Alerting

How to change the "From" address when an alert email is generated from a new search head server in the cluster?

mlevsh
Builder

We have 4 search head servers in search cluster. One of them was added recently.

When Splunk alerts come from "old" servers , they show "Splunk Alert splunk@servername.com" as a sender.

Splunk Alerts from a newly added server has just "splunk@servername.com". As a result, a recipient of the email sees this email address, not the name "Splunk Alert".

Cannot find where to change it. All servers have the same /opt/splunk/etc/system/default/alert_actions.conf

Thank you in advance for any suggestions.

UPDATE: the fix for the issue above was not Splunk related. The following splunk@ was added to existing Contact "Splunk Alerts" by our AD administrator.

0 Karma
1 Solution

mlevsh
Builder

@somesoni2, just an update fyi. In our case the issue was resolved not through Splunk at all, but through our mail exchange settings. Apparently, we had a Contact called "Splunk Alerts" . Messaging administrator just added splunk@hostname.acml.com to that contact.

View solution in original post

0 Karma

mlevsh
Builder

@somesoni2, just an update fyi. In our case the issue was resolved not through Splunk at all, but through our mail exchange settings. Apparently, we had a Contact called "Splunk Alerts" . Messaging administrator just added splunk@hostname.acml.com to that contact.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The default from email address in newer versions is splunk@$LOCALHOST. You should be able to update the from email address by updating the alert_actions.conf file's [email] stanza. Refrain modifying any conf file in the directory /opt/splunk/etc/system/default/. It's a big no-no. You can create a file alert_actions.conf in the directory /opt/splunk/etc/system/local/ instead and add following :-

/opt/splunk/etc/system/local/alert_actions.conf

[email]
from = Splunk Alert splunk@hostname.acml.com
0 Karma

mlevsh
Builder

Under "old" - I meant servers that were already members of the cluster. All 4 servers have the same splunk version "6.3.3" and all 4 servers have the same line in [email] stanza:
from = splunk

But when email actually comes to a recipient , the "From" field looks different:
1. for newly added splunk search head it's
From splunk@hostname.com
Splunk Alert Test
2. From other search head servers it's
From Splunk Alert
Splunk Alert Test
Note: not of them has $SPLUNK_HOME/etc/system/local/alert_ations.conf version

0 Karma

mlevsh
Builder

In addition, to my previous comment: when I put 'Splunk Alert' as 'from' in [email] stanza,
the system takes first word 'Splunk' and adds hostname by default. the second word 'Alert' is not used

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...