Every email we get from Splunk looks like the following:
**Saved search results.
Name: 'Tool - Test Port Channel Checking'
Query Terms: 'sourcetype=syslog_info ETH_PORT_CHANNEL | rex "port-channel(?<port>\d+):" | dedup port | fields + port, host'
Link to results: http://server.domain.net:8000/app/search/@go?sid=scheduler__nobody__search_VG9vbCAtIFRlc3QgUG9ydCBDa...
Alert was triggered because of: 'Saved Search [Tool - Test Port Channel Checking]: custom(4)'**
What I need to do is remove all that Splunk "Default" information and add my own. What .xml file controls this? I know how to add/remove Fields from email alerts, but the data above is given by default on every email.
MasterOogway
Check out my answer in http://answers.splunk.com/answers/41129/use-of-the-search-description-field-in-an-alert-email - I think it might be what you're looking for.
For the most part, these are controlled directly by the sendemail.py
script, and not by a config file.
The simplest solution would be to schedule your search to call the sendemail
command directly, by piping to:
.... | sendemail.py to=user@foo.org sendresults=true server=mail.bar.org
If you want more control, you'll need to create your own version of the sendemail
script, and update commands.conf
in the search app to point to your customized version.
See also:
http://answers.splunk.com/questions/8532/remove-query-and-table-header-from-emails
http://answers.splunk.com/questions/6423/how-to-change-default-alert-smtp-port