Solved: Alert Email Address doesn't allow our domain

p8atsgsasd · ‎02-27-2014

When attempting to create an alert with an email notification we receive the error one of the email address in 'action.email.to' is invalid. It appears this is because of the domain we are using since as an example john.smith@example.com works vs. john.smith@example.h5 does not work.

There was another question raised similar to this with the answer being to upgrade to version 4.2.3 however we are running version 4.3. Is there another patch we need to install for this to work or can we edit a file?

martin_mueller · ‎02-28-2014

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

View solution in original post

cam343 · ‎05-18-2014

I created the following file: $SPLUNK_HOME/etc/system/local/restmap.conf
With the contents:

[validation:savedsearch]
action.email.to          = validate( match('action.email.to',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.to' is invalid")
action.email.cc          = validate( match('action.email.cc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.cc' is invalid")
action.email.bcc         = validate( match('action.email.bcc',  "(?i)^((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(?:^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$)|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$))(?:\s*[,;]\s*((?:[^@\s]+@(?:[^@\s.]+\.)+[a-z]{2,})|(\$([\w.*#\- ]+)(?:\{([^}]+)\})?\$)))*$"), "One of the email addresses in 'action.email.bcc' is invalid")

This has the addition of this regex: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{1,4}$

Goto http://www.regexr.com/ to test what it matches for you.

martin_mueller · ‎02-28-2014

In Splunk 6 (likely also in earlier versions) the validation expression for email addresses is defined in the [validation:savedsearch] stanza of restmap.conf - you can overwrite that as usual in etc/system/local/restmap.conf to also allow your custom domains. Originally Splunk expects the TLD to match [a-z]{2,}.

tweaktubbie · ‎06-02-2015

Just curious, the other way around, can this stanza be somehow used to ONLY allow to send to mail-adresses on @mydomain.com and @my-domain.com? It now seems that anyone can send output worldwide from the search bar?

p8atsgsasd · ‎02-28-2014

You were correct, the restmap.conf file did have this configuration. Further for future knowledge to help someone else hopefully, the regex I used was (?i)^(?:[^@\s]+@(?:[^@\s.]+\.)+[a-z0-9]{2,})(?:\s*[,;]\s*(?:[^@\s]+@(?:[^@\s]+\.)+[a-z0-9]{2,}))*$

Alert Email Address doesn't allow our domain

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation