Re: How to add a line break in an email alert?

vickileong · ‎08-06-2014

==> Saved search view in web interface

list(mailfrom)  TIME    count
abc@gmail.com   10/2/2012 09:05 12
apple@gmail.com 
stb@gmail.com   
peter@gmail.com 10/2/2012 09:16 15
mary@gmail.com  
happy@gmail.com 
abc@gmail.com   10/2/2012 09:43 13
apple@gmail.com 
stb@gmail.com

==> search result in the email alert

list(mailfrom)  TIME    count
abc@gmail.com apple@gmail.com stb@gmail.com 10/2/2012 09:05 12
peter@gmail.com mary@gmail.com happy@gmail.com  10/2/2012 09:16 15
abc@gmail.com apple@gmail.com stb@gmail.com 10/2/2012 09:43 13

All the line break are lost.
Although i can use mvjoin command to add ";" to separate them, but a line break is still necessary since there are more than 100 values in the list.

can anyone help? thank you.

ualbanytech · ‎05-07-2015

I feel your pain. I believe the problem is Splunk is not properly converting the line breaks (newlines) from the event to the appropriate line break sequence required by email (carriage return + Line feed) when passing it off to email. Been banging my head against this for hours. I attempted, with eval replace, to replace all newlines in the event with \r\n but, it inserts the literal string "\r\n".

vickileong · ‎08-22-2014

here is the conf found in /users//search/local/... I will find an machine with Outlook installed to test.
Here is part of the conf file: https://www.dropbox.com/s/sgnxoj12dlv63xv/savedsearches.conf.txt

MuS · ‎08-22-2014

check in etc/users/<yourusername>/search/local/ and I'm using a Exchange/Outlook mail service currently

vickileong · ‎08-22-2014

hi MuS, thanks for helping. I use the same search as you do. Splunk version is 6.1.1. I checked
- $SPLUNK_HOME/etc / apps / search / local / savedsearches.conf
- $SPLUNK_HOME/etc / system / local / savedsearches.conf
first one has nothing under [default], the second one has nothing.
Here is the link to the screen capture:
https://www.dropbox.com/s/c3p35gyl1ubemje/splunk-1.png
may I know what email server/service are you using? Exchange, Gmail, Yahoo ...?

MuS · ‎08-21-2014

could you please provide more details like the search used, your savedsearch.conf entry for this alert and the splunk version used?

I did a test on 6.0.x and this just works fine....
Search used: index=_internal | stats count list(source)
Result:

count   list(source)
72200   /opt/splunk/var/log/splunk/splunkd_access.log
        /opt/splunk/var/log/splunk/splunkd_access.log 
        /opt/splunk/var/log/splunk/splunkd_access.log

vickileong · ‎08-21-2014

hi ppablo, thanks for asking. But the problem is still there. I tried \r \n
but none of them works on Lotus Notes or Gmail. We attache the result as an PDF as an alternative method, but still, we are looking for a solution.

okrabbe_splunk · ‎08-21-2014

Did you ever find a resolution for this?

derekarnold · ‎08-07-2014

It might be your email client (Outlook) modifying the whitespace. Could you attach it as a csv or pdf instead of inline text?

Alternately you could use the sendemail command and set inline=false to force the attachment.

vickileong · ‎08-14-2014

hi Derek, thanks for the help. But gmail seems to have the same problem.

How to add a line break in an email alert?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...