Setup email and Create a email alert

Note

Email should be configured on the search head, not the indexer, because the search head is responsible for handling alerts and user-facing functionalities, including the UI that sends email notifications.

Server Setup

Troubleshooting:

If you have setup the email part of it but you are still not getting emails

  1. <Splunk Home>/etc/system/local there should be a file called "alert_action.conf". If there is no file called that in the local folder. Create it.

    1. anything in the local folder overrides the default settings

    2. [email] mailserver = smtp.gmail.com:587 // your mail server use_tls = true auth_username = splunk@mydomin.com // make sure this matches from= auth_password = <Your Password> from = splunk@mydomain.com // make sure this matches auth_username=

    3. restart the server

  2. After adding the details in the UI, go to the server and search for any file named alert_action to see if you details saved. it should look like the above file but in a different location

Create a alert

Resources

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0749544support.servicenow.com

Troubleshooting

How to setup email alerts results

You can display Basic values you can put in the Subject or Body

Example:

$name$ // Gives you the name of the alert, ex. "Sign in out of US"

Custom values

The best way i found it to work is make the result query return a table. Splunk will look at the first entry to pull the values from.(ex..if you are returning multi rows it will only read the first for values)

| table _time, "User", "Client IP", City, Country

In the email you would access the values by

Email: $result.User$
IP: $result.Client IP$
City: $result.City$
Country: $result.Country$
PreviousStop auto logoutNextWazuh

Last updated