topic Re: How can I search for alerts that send emails to specific users in Splunk 6.6? in Splunk Search

How can I search for alerts that send emails to specific users in Splunk 6.6?

adexteracc — Tue, 06 Feb 2018 19:14:48 GMT

Our setup has a quite a few alerts and we need to find all of the alerts that send email to a specific user. So far other than going through the alerts individually, I have not been able to find a way to search the alerts in this manner.

Re: How can I search for alerts that send emails to specific users in Splunk 6.6?

micahkemp — Tue, 06 Feb 2018 19:21:27 GMT

Try this:

| rest /services/saved/searches | search action.email.to="<email address>" | table title action.email.to

Re: How can I search for alerts that send emails to specific users in Splunk 6.6?

adexteracc — Tue, 06 Feb 2018 20:17:17 GMT

Doesn't look like that does the trick. I ran with the email address we were looking for and and a couple of others but was unable to get an results returned. Also ran the search with an asterisk for the email.to and found that the search didn't appear to return an email at all. Thank you for the suggestion.

Re: How can I search for alerts that send emails to specific users in Splunk 6.6?

micahkemp — Tue, 06 Feb 2018 20:19:24 GMT

Do you see any results for just | rest /services/saved/searches? And are you running the search on the splunk instance that has the alerts configured?

Re: How can I search for alerts that send emails to specific users in Splunk 6.6?

wrangler2x — Wed, 13 Feb 2019 19:57:41 GMT

This worked dandy for me.

Re: How can I search for alerts that send emails to specific users in Splunk 6.6?

jaxjohnny2000 — Thu, 04 Apr 2019 13:08:00 GMT

Try this also.

| rest /services/saved/searches | search action.email=1 action.email.to=targetemail@targetdomain.com | table title action.email.to

Re: How can I search for alerts that send emails to specific users in Splunk 6.6?

putnamblake — Tue, 28 Jul 2020 18:39:18 GMT

I think the above answers are correct but this cleans things up and gives more info. As this is 2020, you the below search is not bound by Splunk 6.x or 7.x- it should work universally.

| rest /services/saved/searches

| search action.email.to=* action.email=1

| rename eai:acl.app as Application, title as "Alert Name", triggered_alert_count as "Times Triggered Conditions Met", splunk_server as Host, action.email.to as "Sent To"

| table Application, "Alert Name", "Times Triggered Conditions Met", Host, "Sent To"

Re: How can I search for alerts that send emails to specific users in Splunk 6.6?

isoutamo — Tue, 28 Jul 2020 19:57:20 GMT

You must remember that there are also fields:

action.email.cc
action.email.bcc

Which you cannot get by REST.

And of course those can be a email aliases/mailing lists on mail server(s).

One way which show to you where splunk has sent alerts is query those from internal logs.

index=_internal source=*python.log sendemail "Sending email"

r. Ismo