Alerting

Alert Email Address doesn't allow our domain

p8atsgsasd
Engager

When attempting to create an alert with an email notification we receive the error one of the email address in 'action.email.to' is invalid. It appears this is because of the domain we are using since as an example john.smith@example.com works vs. john.smith@example.h5 does not work.

There was another question raised similar to this with the answer being to upgrade to version 4.2.3 however we are running version 4.3. Is there another patch we need to install for this to work or can we edit a file?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

View solution in original post

cam343
Path Finder

I created the following file: $SPLUNK_HOME/etc/system/local/restmap.conf
With the contents:

[validation:savedsearch]
action.email.to          = validate( match('action.email.to',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.to' is invalid")
action.email.cc          = validate( match('action.email.cc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.cc' is invalid")
action.email.bcc         = validate( match('action.email.bcc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.bcc' is invalid")

This has the addition of this regex: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$

Goto http://www.regexr.com/ to test what it matches for you.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

tweaktubbie
Communicator

Just curious, the other way around, can this stanza be somehow used to ONLY allow to send to mail-adresses on @mydomain.com and @my-domain.com? It now seems that anyone can send output worldwide from the search bar?

p8atsgsasd
Engager

You were correct, the restmap.conf file did have this configuration. Further for future knowledge to help someone else hopefully, the regex I used was (?i)^(?:[^@\s]+@(?:[^@\s.]+\.)+[a-z0-9]{2,})(?:\s*[,;]\s*(?:[^@\s]+@(?:[^@\s]+\.)+[a-z0-9]{2,}))*$

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...