We have 4 search head servers in search cluster. One of them was added recently.
When Splunk alerts come from "old" servers , they show "Splunk Alert splunk@servername.com" as a sender.
Splunk Alerts from a newly added server has just "splunk@servername.com". As a result, a recipient of the email sees this email address, not the name "Splunk Alert".
Cannot find where to change it. All servers have the same /opt/splunk/etc/system/default/alert_actions.conf
Thank you in advance for any suggestions.
UPDATE: the fix for the issue above was not Splunk related. The following splunk@ was added to existing Contact "Splunk Alerts" by our AD administrator.
@somesoni2, just an update fyi. In our case the issue was resolved not through Splunk at all, but through our mail exchange settings. Apparently, we had a Contact called "Splunk Alerts" . Messaging administrator just added splunk@hostname.acml.com to that contact.
@somesoni2, just an update fyi. In our case the issue was resolved not through Splunk at all, but through our mail exchange settings. Apparently, we had a Contact called "Splunk Alerts" . Messaging administrator just added splunk@hostname.acml.com to that contact.
The default from
email address in newer versions is splunk@$LOCALHOST
. You should be able to update the from
email address by updating the alert_actions.conf file's [email]
stanza. Refrain modifying any conf file in the directory /opt/splunk/etc/system/default/
. It's a big no-no. You can create a file alert_actions.conf in the directory /opt/splunk/etc/system/local/
instead and add following :-
/opt/splunk/etc/system/local/alert_actions.conf
[email]
from = Splunk Alert splunk@hostname.acml.com
Under "old" - I meant servers that were already members of the cluster. All 4 servers have the same splunk version "6.3.3" and all 4 servers have the same line in [email] stanza:
from = splunk
But when email actually comes to a recipient , the "From" field looks different:
1. for newly added splunk search head it's
From splunk@hostname.com
Splunk Alert Test
2. From other search head servers it's
From Splunk Alert
Splunk Alert Test
Note: not of them has $SPLUNK_HOME/etc/system/local/alert_ations.conf version
In addition, to my previous comment: when I put 'Splunk Alert' as 'from' in [email] stanza,
the system takes first word 'Splunk' and adds hostname by default. the second word 'Alert' is not used