I have a handful of scheduled searches that a client would like emailed. They want to see the results in the email and not have to log into Splunk. However, when I go in Email Alert Settings in the WebUI set Splunk to Include Results Inline = yes, no matter what Email Format I choose they still receive no results in their email, only a link.
The search is returning results, and is emailing because it is set to email when number of events > 0.
Please let me know what settings I should check, I think this is a stock 4.1.4 install.
In your savedsearches.conf, make sure the following is set for the search in question:
action.email.sendresults = 1
Haha, nope, I totally missed that checkbox. Thanks guys!
In your savedsearches.conf, make sure the following is set for the search in question:
action.email.sendresults = 1
Just checking, but your sure you checked "Include results in email" on the saved search in question, right? The email format options are on a different page. In savedsearches.conf
this will take the form: action.email.sendresults = 1