https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673355#M15683 <P>Hi</P><P>you also must have working email sending feature configured on your splunk. You could test this with command sendemail like</P><LI-CODE lang="markup">index=* | head 1 | stats count | sendemail to="&lt;your email address&gt;" subject="Testing Splunk email sending" </LI-CODE><P>If this send email to you, then email sending is configured and in use. Otherwise your Splunk admin needs to configure it with your organisation email operator.</P><P>After that you could use email action on Alert configuration.</P><P>r. Ismo&nbsp;</P> Fri, 05 Jan 2024 13:33:20 GMT isoutamo 2024-01-05T13:33:20Z https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673134#M15677 <P>How do I set up an email notification that is triggered by a user add/update/delete/activate?</P> Wed, 03 Jan 2024 14:59:39 GMT https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673134#M15677 kehnerm 2024-01-03T14:59:39Z https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673164#M15678 <P>You can do that in 3 steps.</P><P>1) Verify the user add/update/delete/activate events are indexed in Splunk.</P><P>2) Search the appropriate index for the events.</P><P>3) When you have search results you like, select "Alert" from the Save As menu.&nbsp; Complete the form and select "Send email" from the Trigger Actions menu.</P> Wed, 03 Jan 2024 17:45:57 GMT https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673164#M15678 richgalloway 2024-01-03T17:45:57Z https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673223#M15680 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;thank you for the quick response.&nbsp; I'm new to Splunk and need to set up an email notification.&nbsp; I've been working through documentation for several days now, and I'm still not getting this done.<BR /><BR />Would you please tell me how to accomplish this?<BR /><BR /><SPAN>1) Verify the user add/update/delete/activate events are indexed in Splunk.</SPAN></P> Thu, 04 Jan 2024 14:14:55 GMT https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673223#M15680 kehnerm 2024-01-04T14:14:55Z https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673336#M15682 <P>Your problem is not well-defined.</P><P>Splunk can only search (and alert based on) events that are in splunk. It's not clear whether you are trying to find added/changed/whatever _Splunk users_ (which should be at least partially achievable, but approach to this task can differ based on whether you have 9.x Splunk version which has _configtracker index or earlier one) or if you want to find in your Splunk data info about user accounts from other systems. In the latter case you need to have the information from those systems ingested into Splunk first in order to be able to find anything.</P> Fri, 05 Jan 2024 11:08:32 GMT https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673336#M15682 PickleRick 2024-01-05T11:08:32Z https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673355#M15683 <P>Hi</P><P>you also must have working email sending feature configured on your splunk. You could test this with command sendemail like</P><LI-CODE lang="markup">index=* | head 1 | stats count | sendemail to="&lt;your email address&gt;" subject="Testing Splunk email sending" </LI-CODE><P>If this send email to you, then email sending is configured and in use. Otherwise your Splunk admin needs to configure it with your organisation email operator.</P><P>After that you could use email action on Alert configuration.</P><P>r. Ismo&nbsp;</P> Fri, 05 Jan 2024 13:33:20 GMT https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673355#M15683 isoutamo 2024-01-05T13:33:20Z https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673361#M15684 <P>Just remember that in order to use sendemail command you need the schedule_search capability (yes, it's a bit counterintuitive)</P> Fri, 05 Jan 2024 14:14:07 GMT https://community.splunk.com/t5/Alerting/Email-Notification/m-p/673361#M15684 PickleRick 2024-01-05T14:14:07Z