Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Send e-mail through Splunk search Alert "command="sendemail", 'rootCAPath'" but no where to add ROLE?

anonymous_hippo
Explorer
‎08-31-2021 11:15 AM

I'm trying send an e-mail from my Splunk Search Alert (I am using SPLUNK Enterprise), but I'm getting an error message "command="sendemail", 'rootCAPath' while sending mail to: MySuperCoolEmail101@gmail.com" and when I try a solution that involves going to Settings to Add a Role, I don't see that option listed at all.

 

My search query is something like (reference https://community.splunk.com/t5/Reporting/How-to-get-Splunk-sendemail-command-to-send-multiple-email...)

 

 

index=rtm source="/mypath/app.log" SomeRandomTextHereForTesting | sendemail to="MySuperCoolEmail101@gmail.com" format=raw subject=myresults server=mail.splunk.com sendresults=true

 

 

 

I found this post which suggests adding some "list_settings" role by going to Settings > Access Controls > Roles, but I do not seem to have that option (reference https://community.splunk.com/t5/Reporting/splunk-dashboard-cant-sent-email/m-p/489388)

Screen Shot 2021-08-31 at 1.09.27 PM.png

 

Am I doing something wrong? Is this because I'm on Splunk Enterprise? Am I using the correct mail server? How do I add ROLES?

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-31-2021 11:31 AM

To define roles (add capabilities to a role) you have to be an admin.

Reply

anonymous_hippo
Explorer
‎08-31-2021 03:09 PM

@PickleRick Is there anyway else to send an Email through splunk based on my Search Alert result? or am I blocked unless I can add this role? (I will keep seeing this rootCAPath error?

 

I tried EDITING the alert itself, and it has some "ACTIONS" like integration with PagerDuty, which works just fine for me (tested), and there is an EMAIL trigger also, however, when I write my email, nothing ever gets sent to it. That's why I was trying to above "sendemail" function. 

I also needed to include some of the dynamic information in the Search Results Alert into my EMAIL, hopefully this is easily feasible?

 

Thank you for your help thus far.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2021 01:54 AM

Well, you can have an action "send email" in alert definition but the email settings for your Splunk Enterprise instance must be specified by the admin. If your Splunk instance was not configured for sending email, it's either an ommision by the admin or a deliberate choice not to use this functionality. Either way - you should consult your Splunk admin about this.

And it's overally a good idea - a normal user shouldn't be able to (ab)use email sending functionality by trying to send emails via random servers.

Reply

anonymous_hippo
Explorer
‎09-01-2021 04:25 PM

Hi, @PickleRick thanks for the help thus far. I reached out to my administrators today and found out I actually indeed do have ADMIN have for this splunk (enterprise).

 

Am I missing something here? Am I looking at the right spot (based on my first/initial screen shot I posted) for adding a Role, and is this even the correct approach I am taking?

I simply want to send an email through splunk alert.....

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2021 11:54 PM

Well, that's strange because as an admin you should have additional entries in Settings dialog. Especially the links to manage roles and users.

See for yourself:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/NavigatingSplunkWeb

Look at the screenshot of the Settings menu.

In a larger (not all-in-one) environment some settings might not be available but the ones we're talking about should definitely be there (for an admin).

Properly, you should have your email sending mechanism configured under Alert Actions.

Then when defining alert you only need to chose the defined Alert Action.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...