Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Saved Search cannot send email

vincenteous
Communicator
‎09-29-2014 01:55 AM

Afternoon all,

I've upgraded splunk to version 6.1.3 recently and encountered an error in a scheduled saved search. The search, for an unknown reason, failed to identify the recipients listed in the configuration and splunkd.log showed the error like this:

 09-29-2014 15:30:18.287 +0700 ERROR ScriptRunner - stderr from '/apps/splunk/bin/python /apps/splunk/etc/apps/TselITSECOpSecEvents/bin/sendemail.py "results_link=https://10.35.105.25:8000/app/TselITSECOpSecEvents/@go?sid=scheduler__admin__TselITSECOpSecEvents__RMD5dba399bcecc9591e_at_1411979400_324" "ssname=tsel_itsecevent_unusual_access_to_resource_non_privilage_user" "graceful=True" "trigger_time=1411979418" results_file="/apps/splunk/var/run/splunk/dispatch/scheduler__admin__TselITSECOpSecEvents__RMD5dba399bcecc9591e_at_1411979400_324/results.csv.gz"':  ERROR:root:missing required argument: to. Please specify at least on email recipient as: "to=address@example.com"

I've inspected the job and I found all recipients. Unfortunately, splunk keep delivering the same error message. Can someone enlighten me about this case?

Thanks in advance

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎09-29-2014 04:12 AM

Hello Vincenteous,
This is happening because of your old sendemail.py file. If you have managed to customize it you may not be able to use it with savedsearch. There are two options.

  1. One is to include a |sendmail command in your search and remove the to list. This will just work fine with all the provided parameters to the command.
  2. You need to replace the sendemail.py file with default search app sendemail.py file and customize it. You may also go for a scripting solution which will not actually change with every splunk release. Splunk doesn't give us a good template to customize our own email format so we need to do it by ourselves.

Thanks,
L

View solution in original post

Reply
Solved! Jump to solution

vincenteous
Communicator
‎09-29-2014 06:55 PM

Thanks to L. I've replaced the old sendemail.py with the one from splunk 6.1.3 version. As for preemptive measure, I've also replaced the old sendemail_handler.py.

0 Karma
Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎09-29-2014 04:12 AM

Hello Vincenteous,
This is happening because of your old sendemail.py file. If you have managed to customize it you may not be able to use it with savedsearch. There are two options.

  1. One is to include a |sendmail command in your search and remove the to list. This will just work fine with all the provided parameters to the command.
  2. You need to replace the sendemail.py file with default search app sendemail.py file and customize it. You may also go for a scripting solution which will not actually change with every splunk release. Splunk doesn't give us a good template to customize our own email format so we need to do it by ourselves.

Thanks,
L

Reply
Solved! Jump to solution

vincenteous
Communicator
‎09-29-2014 06:53 PM

Thank you very much, L. I've suspected that sendemail.py would be the primary cause before, but I wasn't sure enough to execute it. I used method no. 2 in the end.

0 Karma
Reply
Solved! Jump to solution

jwelsh_splunk
Splunk Employee
Splunk Employee
‎01-27-2015 06:46 AM

Great catch, thanks for sharing!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...