Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alerts triggered 30 times and only 3 emails received

mufthmu
Path Finder
‎09-25-2020 09:19 AM

Hi fellow splunkers,

I faced a mysterious issue where the number of triggered alerts do not match the number of emails received. When I check python.log, I see the alert is giving me this error

2020-09-25 18:49:01,765 +0000 ERROR     sendemail:142 - Sending email. subject="Splunk Alert: to be deleted", results_link="http://aws-prod-east-splunk.megh.thingspace.com/app/search/@go?sid=scheduler__admin__search__RMD57f4b1593a5b5364b_at_1601059740_8497_BA4F469F-14CB-4CBF-A20F-40A798E7F698", recipients="[u'myemail@email.com']", server="top-smtp-proxy.ts-prod.cloud:587"

2020-09-25 18:49:01,765 +0000 ERROR     sendemail:475 - (530, 'Authentication required', u'no-reply-top@verizon.com') while sending mail to: myemail@email.com

 

 

AND, I found this anomaly in my alert configuration. 

Screen Shot 2020-09-25 at 1.45.00 PM.png

Note that sendemail command from search bar worked and I did receive the email. So it's only giving me error for alerts or scheduled searches.

Anyone else having this issue? 

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-01-2020 01:31 PM
This error means that receiving MTA cannot get correct user + password from splunk when it’s trying to send email to someone.
Why it’s working when you are sending it from GUI is interesting question,...
0 Karma
Reply

mufthmu
Path Finder
‎10-02-2020 08:12 AM

@isoutamo Thank you or the response, Although I'm not sure if it's about user + password issue simply because the exact same alert is still able to send email when triggered. But only small percentage of those triggered alerts are sent, the rest have that error I mentioned above.

I however, use app to put my alerts in and this is the alert_actions.conf file in system/local:

[email]
hostname = http://aws-prod-east-splunk.megh.thingspace.verizon.com
mailserver = top-smtp-proxy.ts-prod.cloud:587
pdf.header_left = none
pdf.header_right = none
disabled = 0
auth_password = {encrypted}
auth_username = AKIAUN3SJVAQRIOJW62G
from = myemail@mail.com (whitelisted)
use_tls = 1

 

and this is the alert_actions.conf in each app (I have about 10 app):

[email]
subject= |prod-us-east-1| SplunkAlert: $name$ $result.cid$

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...