Alerting

How can I get the alert emails sent out with multiple email addresses on one email instead of individual emails?

upcounselnick
Explorer

In the version of Splunk Light we were self hosting (6.2.2) we could just add everyone in the 'To' field, and it would send a single email out to all of us together. I even remember this from past times I've used Splunk Enterprise.

NOW in SLC 6.3, it sends individual emails to each person. This isn't ideal for us because we like to be able to reply all and let everyone know we're handling something.

I've tried using the 'CC' field, but that still sends individual emails as well so it seems like there's not much of a difference. You'd think CC would actually CC users to one email, but instead it's actually sending out individual emails with an empty To email.

Something could have fundamentally changed in one of the most recent versions of Splunk, and I'm trying to get to the bottom of it. This seems like a bug to me.

ChrisG
Splunk Employee
Splunk Employee

Splunk QA has confirmed that this is a bug, now logged as AMI-4340. I will update this posting when I have more information about a fix.

upcounselnick
Explorer

Thanks Chris!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

The fix was pushed to production today.

upcounselnick
Explorer

excellent. thanks Chris!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Initial investigation by QA indicates that this is an issue specifically with the cloud version. They confirmed that the on-premises versions of Splunk Light and Splunk Enterprise both correctly handle email alerts with multiple recipients. We will update this posting again when we have more information.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I'm curious if you can work around this by putting an array into the to field like this '["email@address.com","email2@address.com"]'

0 Karma

upcounselnick
Explorer

Getting a validation error: "In handler 'savedsearch': One of the email addresses in 'action.email.to' is invalid"

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you try it without the square brackets too?

0 Karma

upcounselnick
Explorer

Same thing.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sorry I'm just a guy who tries every combo possible... I'd even try escaping the squar brackets

0 Karma

upcounselnick
Explorer

No problem. I thank you for your help. I'll try messing around with some different combinations to see if I can outsmart it. 🙂

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...