Alerting

How to avoid the search parameter in email alerts

pstamati
Path Finder

Hi everybody.
I´ve configured a lot of email alerts in splunk. The problem I see, is when an alert triggered and I received I see the information plus the configured Search string that triggered the alert.
I would like to receive only the results.

Below is an example of the alert I receive by email


Saved search results.

Name: 'ANTIVIRUS - Reporte de actualizacion (Servidores)'
Query Terms: 'sourcetype=\"WMI:WinEventLog:Application\" EventCode=7 |dedup ComputerName | chart count(ComputerName) over ComputerName by virus_defs'
Link to results: https://hostname:8000/app/Liberty/@go?sid=scheduler__pstamati__Liberty_QU5USVZJUlVTIC0gUmVwb3J0ZSBkZ...
Alert was triggered because of: 'Saved Search [ANTIVIRUS - Reporte de actualizacion (Servidores)]: number of events(57)'

<---------I´d like to receive only from here
ComputerName|140416r.|140417s.

AR-AVAYA-RT|0|1
AR-BES.Liberty.ar|0|1
AR-BSAS-AD1|0|1
AR-BSAS-AD2|0|1
AR-BSAS-DC1.Liberty.ar|0|1

Tags (2)
1 Solution

cramasta
Builder

You can modify the alert_actions.conf file located at /etc/system/local

Add the following to the end of the file (or if there is already a "command=" setting replace it with the one below. This will remove the search query from the results and "should" remove the URL (haven't tested it yet).

command = sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sslink=$results.url{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$maxinputs{default=1000}$" maxtime="$action.email.maxtime{default=5m}$" _validate-1 = action.email.sendresults, validate( is_bool('action.email.sendresults'), "Value of argument 'action.email.sendresults' must be a boolean")

To get rid of the "Saved search results." you can edit the sendemail.py file to remove that text. Currently looks like below in the file. If someone knows a better way to not have it show up please let me know.

intro += "Saved search results.\n\n"

Might have to restart splunk after the change is made.

View solution in original post

Ovi
Path Finder

Above solution doesn't work for me (Splunk 5.0.4) but I found a way to accomplish this very nicely by changing just one file instead of two

Edit ../etc/apps/search/bin/sendemail.py and comment out lines #189-213 as shown below.
(you'll need to change the file permissions from read-only first)
No need to restart Splunk, the change will be picked up at the next Alert
The "inline" alerts will show only the search results without any additional text.
The PDF or CSV alerts are not impacted by this change

sendemail.py section.....line 189

 # else:
 #   intro += "Saved search results.\n\n"

  #  if settings != None:
  #      user  = settings.get("user", None)
  #     if user:
  #          intro += "User: \'" + escape(user, plainText) + "\'\n"

 #   if ssName:
 #      intro += "Name: \'" + escape(ssName, plainText) + "\'\n"

  #  query = getarg(argvals, "ssquery", None)
  #  if query:
  #      intro += "Query Terms: \'" + escape(query, plainText) + "\'\n"

  #  ssLink = getarg(argvals, "sslink", None)
  #  if ssLink and not plainText:
  #      ssLink = "<a href=\"" + ssLink + "\">" + ssLink + "</a>"

  #  if ssLink:
  #      intro += "Link to results: " + ssLink + "\n";

  #  ssSummary = getarg(argvals, "sssummary", None)
  #  if ssSummary:
  #     intro += "Alert was triggered because of: \'" + escape(ssSummary, plainText) + "\'\n"

cramasta
Builder

You can modify the alert_actions.conf file located at /etc/system/local

Add the following to the end of the file (or if there is already a "command=" setting replace it with the one below. This will remove the search query from the results and "should" remove the URL (haven't tested it yet).

command = sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sslink=$results.url{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$maxinputs{default=1000}$" maxtime="$action.email.maxtime{default=5m}$" _validate-1 = action.email.sendresults, validate( is_bool('action.email.sendresults'), "Value of argument 'action.email.sendresults' must be a boolean")

To get rid of the "Saved search results." you can edit the sendemail.py file to remove that text. Currently looks like below in the file. If someone knows a better way to not have it show up please let me know.

intro += "Saved search results.\n\n"

Might have to restart splunk after the change is made.

pstamati
Path Finder

Awsome!! Many Thanks

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...