Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert Email Address doesn't allow our domain

p8atsgsasd
Engager
‎02-27-2014 11:21 AM

When attempting to create an alert with an email notification we receive the error one of the email address in 'action.email.to' is invalid. It appears this is because of the domain we are using since as an example john.smith@example.com works vs. john.smith@example.h5 does not work.

There was another question raised similar to this with the answer being to upgrade to version 4.2.3 however we are running version 4.3. Is there another patch we need to install for this to work or can we edit a file?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-28-2014 12:26 AM

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

View solution in original post

Reply
Solved! Jump to solution

cam343
Path Finder
‎05-18-2014 09:42 PM

I created the following file: $SPLUNK_HOME/etc/system/local/restmap.conf
With the contents:

[validation:savedsearch]
action.email.to          = validate( match('action.email.to',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.to' is invalid")
action.email.cc          = validate( match('action.email.cc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.cc' is invalid")
action.email.bcc         = validate( match('action.email.bcc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.bcc' is invalid")

This has the addition of this regex: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$

Goto http://www.regexr.com/ to test what it matches for you.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-28-2014 12:26 AM

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

Reply
Solved! Jump to solution

tweaktubbie
Communicator
‎06-02-2015 04:44 AM

Just curious, the other way around, can this stanza be somehow used to ONLY allow to send to mail-adresses on @mydomain.com and @my-domain.com? It now seems that anyone can send output worldwide from the search bar?

Reply
Solved! Jump to solution

p8atsgsasd
Engager
‎02-28-2014 11:59 AM

You were correct, the restmap.conf file did have this configuration. Further for future knowledge to help someone else hopefully, the regex I used was (?i)^(?:[^@\s]+@(?:[^@\s.]+\.)+[a-z0-9]{2,})(?:\s*[,;]\s*(?:[^@\s]+@(?:[^@\s]+\.)+[a-z0-9]{2,}))*$

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...