- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: Saved Search cannot send email
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Afternoon all,
I've upgraded splunk to version 6.1.3 recently and encountered an error in a scheduled saved search. The search, for an unknown reason, failed to identify the recipients listed in the configuration and splunkd.log showed the error like this:
09-29-2014 15:30:18.287 +0700 ERROR ScriptRunner - stderr from '/apps/splunk/bin/python /apps/splunk/etc/apps/TselITSECOpSecEvents/bin/sendemail.py "results_link=https://10.35.105.25:8000/app/TselITSECOpSecEvents/@go?sid=scheduler__admin__TselITSECOpSecEvents__RMD5dba399bcecc9591e_at_1411979400_324" "ssname=tsel_itsecevent_unusual_access_to_resource_non_privilage_user" "graceful=True" "trigger_time=1411979418" results_file="/apps/splunk/var/run/splunk/dispatch/scheduler__admin__TselITSECOpSecEvents__RMD5dba399bcecc9591e_at_1411979400_324/results.csv.gz"': ERROR:root:missing required argument: to. Please specify at least on email recipient as: "to=address@example.com"
I've inspected the job and I found all recipients. Unfortunately, splunk keep delivering the same error message. Can someone enlighten me about this case?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Vincenteous,
This is happening because of your old sendemail.py file. If you have managed to customize it you may not be able to use it with savedsearch. There are two options.
- One is to include a |sendmail command in your search and remove the to list. This will just work fine with all the provided parameters to the command.
- You need to replace the sendemail.py file with default search app sendemail.py file and customize it. You may also go for a scripting solution which will not actually change with every splunk release. Splunk doesn't give us a good template to customize our own email format so we need to do it by ourselves.
Thanks,
L
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to L. I've replaced the old sendemail.py with the one from splunk 6.1.3 version. As for preemptive measure, I've also replaced the old sendemail_handler.py.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Vincenteous,
This is happening because of your old sendemail.py file. If you have managed to customize it you may not be able to use it with savedsearch. There are two options.
- One is to include a |sendmail command in your search and remove the to list. This will just work fine with all the provided parameters to the command.
- You need to replace the sendemail.py file with default search app sendemail.py file and customize it. You may also go for a scripting solution which will not actually change with every splunk release. Splunk doesn't give us a good template to customize our own email format so we need to do it by ourselves.
Thanks,
L
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much, L. I've suspected that sendemail.py would be the primary cause before, but I wasn't sure enough to execute it. I used method no. 2 in the end.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great catch, thanks for sharing!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
