topic Re: Where are the failures of sendemail logged in? in Splunk Search

Where are the failures of sendemail logged in?

danielbb — Mon, 28 Nov 2022 18:53:56 GMT

Does anybody know where the failures of sendemail are being logged? I wonder about cases where the e-mail address no longer exists and what type of error is generated and where. _internal and _audit don't seem to have this data.

Re: Where are the failures of sendemail logged in?

nyc_jason — Mon, 28 Nov 2022 19:30:42 GMT

try this:
index=_internal source=*python.log sendemail

Re: Where are the failures of sendemail logged in?

danielbb — Mon, 28 Nov 2022 21:23:42 GMT

Thank you, but unfortunately it doesn't show the failures.

Re: Where are the failures of sendemail logged in?

yuanliu — Tue, 29 Nov 2022 09:27:13 GMT

Are you looking for logs from your actual mail transfer agent (aka SMTP server) or an existing source in Splunk? Unless you actually ingest mail log, it won't be available.

When you say "e-mail address no longer exists," you don't mean that outlook.com used to exist but no longer, but a user's mailbox used to exist but no longer. Is this correct? Unless the server is rejecting connection (e.g., outlook.com all in a sudden stopped), Splunk submits data and will have no knowledge about mail handling. Only the MTA log will contain what you needed.

Re: Where are the failures of sendemail logged in?

PickleRick — Tue, 29 Nov 2022 11:10:40 GMT

There are two possible cases here.

1) The sendemail command (or the equivalent alert action) is unable to submit the email for delivery to the immediate SMTP server (due to bad/lack of authentication, network problems and so on). Those kinds of problems will be reported as logs from sendemail.py as @nyc_jason already showed

2) The email is properly submitted to the SMTP server but the delivery process doesn't complete properly (due to one of the many possible problems that can happen in email path) - well, then you have to troubleshoot your email system just like you would do with any other email. If the email generated from Splunk has some deliverable From address configured you might want to check the corresponding mailbox to see whether there were no delivery problem reports generated.

Re: Where are the failures of sendemail logged in?

danielbb — Wed, 30 Nov 2022 21:57:11 GMT

Great. What sort of errors _does_ sendemail report on?

Re: Where are the failures of sendemail logged in?

dhsmith21 — Thu, 07 Aug 2025 01:26:04 GMT

I know this is an older thread, but I am searching for a good way to get notifications for when and email fails to be sent as well.

I did find you can see these in $SPLUNK_HOME/var/log/splunk/python.log.

Specifically for my use case it is around the allowed domain list not having the domain listed.
If I find a good way to detect this within a standard or REST Splunk search I will reply. Hope this helps some.

Re: Where are the failures of sendemail logged in?

dhsmith21 — Thu, 07 Aug 2025 02:40:12 GMT

This should get the failed sendmail items, but doesn't appear get the ones dropped by allowed email domains list not including the domain. Still researching that use case.

index=_internal sourcetype=splunk_python ("Name or service not known while sending mail to" OR "Connection timed out while sending mail to")

some | rex maybe needed to make this more useful.

Re: Where are the failures of sendemail logged in?

dhsmith21 — Thu, 07 Aug 2025 02:46:12 GMT

This should get you everything you need: index=_internal sourcetype=splunk_python error