Re: Operational question: formatting Splunk alerts

[Garrett Hildebrand <gdh () UCI EDU>]

Emily,

Just curious... in what way do you want to re-format them? Can you
show an alert that is generated and then what you'd like to see
differently in it?

So now some potential help in general...

In the Message portion of an alert that has an Action of "Send email"
You can use tokens to build customized messages. The tokens are
described here:

https://docs.splunk.com/Documentation/Splunk/7.1.2/Alert/EmailNotificationTokens

That might get you somewhere. There are new options for this area
as of the 6.1.* release.


Also, if you place a alert_actions.conf file in
~/etc/apps/search/local (and the alert runs out of the search app)
then there is a lot you can customize, as described here (plus the
option to run a script, as you mentioned):

https://answers.splunk.com/answers/389294/how-to-use-html-code-in-email-alerts-to-format-the.html


And, you can actually modify the way the search results are presented, as described here:

https://answers.splunk.com/answers/543473/how-to-change-the-alert-email-result-format.html


There is a very light-weight description of running an external
script to format your alert results here:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/Configuringscriptedalerts#Script_option

Change the release in the URL to match what you are using. Note that it can be a perl script or python as well.


If you decide that you want to go the route of modifying
sendemail.py, there is a way to do this without having it overwritten
every time you upgrade. Basically, you copy the program to a new
name, and point Splunk at that, as described here:

https://answers.splunk.com/answers/2641/how-do-i-customize-scheduled-search-alert-emails.html


Something I have used is to save a search as a report, and have a sendemail at the end. When you run the report it will 
generate an email. Here is a simple example:

index=syslogs_adcom pikfs
| rex "WebAuth:.*\s+-\s+(?<Action>[^ ]+)\s+.*http.*expresso\/pikfs\/(?<pikfsStem>[^\? ]+).*?\s(?<Result>[^ 
]+)\s+(?<Message>.*)"
| stats count by userID Action pikfsStem Result Message
| addtotals col=t row=f
| sendemail to="somebody () uci edu" cc="somebodyelse () uci edu" subject="A sample search for pikfs events for Today (Ref.: JIRA 
SEC-4338" sendresults=true footer="Please see the JIRA to obtain a copy of the search and run it yourself if you like"

Something that is not well documented in about the sendemail command
is that many of the tokens available for an email alert are also
available to the sendemail command. I don't have definitive list
but I have used a number of them in this way. See the potential
list in the "Tokens that access search metadata" area of:

https://docs.splunk.com/Documentation/Splunk/6.1.2/Alert/Setupalertactions#Email_notification

Garrett
-==-==-
G.D. Hildebrand               Senior IT Security Analyst
UC Irvine, OIT, 6137 Science Library, Irvine, 92697-1175
tel.: 949-824-8913                   email: gdh () uci edu
My URL http://about.me/garretthildebrand
Splunk> the Benihana of log-data slicing and dicing.
                ¯\_(ツ)_/¯
Don't be a victim of phishing. Legitimate businesses don't ask you
to send sensitive information through insecure channels. Learn more:
http://er.educause.edu/blogs/2016/3/april-dont-get-hooked
Handle passwords wisely: http://www.bbc.com/news/technology-37510501


Today (Wed, 27 Feb 2019) at 12:55 -0500 Emily Harris wrote:

> I have an operational question for a Splunk expert.  We want to re-format our alert emails from Splunk with a custom 
> template so they are
> more human readable.  The idea is that we send certain triggers via email to a non-IT person and the format of that 
> email should be less
> technical (ie the raw or JSON payload).  From what I can tell there are 3 methods:
> 1.  Edit the sendemail.py script directly
> 2.  Launch an external bash script
> 3.  Use a script plugin
>
> Has anyone used any of these methods successfully and can either point me to a really clear "how-to" document or make 
> some time for a
> consult?
>
> Thank you!
>
> ----
> Emily Harris, CISSPInformation Security Officer, CIS
> Vassar College
> 845-437-7221