Alerting

Alert Email Address doesn't allow our domain

p8atsgsasd
Engager

When attempting to create an alert with an email notification we receive the error one of the email address in 'action.email.to' is invalid. It appears this is because of the domain we are using since as an example john.smith@example.com works vs. john.smith@example.h5 does not work.

There was another question raised similar to this with the answer being to upgrade to version 4.2.3 however we are running version 4.3. Is there another patch we need to install for this to work or can we edit a file?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

View solution in original post

cam343
Path Finder

I created the following file: $SPLUNK_HOME/etc/system/local/restmap.conf
With the contents:

[validation:savedsearch]
action.email.to          = validate( match('action.email.to',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.to' is invalid")
action.email.cc          = validate( match('action.email.cc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.cc' is invalid")
action.email.bcc         = validate( match('action.email.bcc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.bcc' is invalid")

This has the addition of this regex: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$

Goto http://www.regexr.com/ to test what it matches for you.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

tweaktubbie
Communicator

Just curious, the other way around, can this stanza be somehow used to ONLY allow to send to mail-adresses on @mydomain.com and @my-domain.com? It now seems that anyone can send output worldwide from the search bar?

p8atsgsasd
Engager

You were correct, the restmap.conf file did have this configuration. Further for future knowledge to help someone else hopefully, the regex I used was (?i)^(?:[^@\s]+@(?:[^@\s.]+\.)+[a-z0-9]{2,})(?:\s*[,;]\s*(?:[^@\s]+@(?:[^@\s]+\.)+[a-z0-9]{2,}))*$

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...