Alerting

Sending mail is not working

abhayneilam
Contributor

Following is my content of "alert_actions.conf"

[email]
format = plain
from = Abhay the SPLUNKER
reportPaperSize = a4
reportServerURL =
subject = Splunk Alert: Test Mail From SPLUNK

But Still I am not able to send a mail ( Mail is not going ) Kindly help me out with this

0 Karma

stefanlasiewski
Contributor

Your "alert_actions.conf" must list a email server. Here is my example configuration. I simply route email through the host, because I know that the host is already configured to set up email:

[email]
...
# SMTP server sending out all alert emails
#
mailserver = localhost

From Documentation > Splunk > Alerting Manual > Set up alert actions > Configure email alert settings in ...

Email alerting will not work if the email alert settings in Manager are not configured, or are configured incorrectly. You can define these settings at Manager > System settings > Email alert settings.

On the Email alert settings Manager page, you can define the Mail server settings (the mail host, security type, username, password, and so on) and the Email format (link hostname, email sender name, email subject header, and inline results format).

wuming79
Path Finder

Hi,,

I did the following but I still can't receive email. Still getting "[Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: abc@gmail.com". What else should I do to make it work?

[email]
from = Splunk Control
pdf.header_left = none
pdf.header_right = none

 # SMTP server sending out all alert emails
 #
 mailserver = localhost
0 Karma

yannK
Splunk Employee
Splunk Employee

check the splunk logs for errors :

the scheduler log to see if a alert is triggered:
index=_internal source=*scheduler.log* "name of your search"

the python log when the email script report the errors
index=_internal source=*python.log* email

0 Karma

yannK
Splunk Employee
Splunk Employee

and what about the pyton.log around the same time ?
12-14-2012 18:45:00 to 18:46:00

0 Karma

abhayneilam
Contributor

this is my scheduler.log data :

12-14-2012 18:45:04.726 +0530 INFO SavedSplunker - savedsearch_id="admin;search;greater than 200 results", user="admin", app="search", savedsearch_name="greater than 200 results", status=success, digest_mode=1, scheduled_time=1355490900, dispatch_time=1355490901, run_time=0.500, result_count=275, alert_actions="email", sid="scheduler_adminsearch_RMD5b380e21c61118824_at_1355490900_166", suppressed=0, thread_id="AlertNotifierWorker-0"

still , my mail is not going

0 Karma

Drainy
Champion

I think the from field cannot contain spaces, its meant to be an email address. Have you looked in splunkd.log for any errors?

Also you will need to restart for this conf to take effect

Drainy
Champion

I was talking about the actual value, including spaces in and around the equals is fine. This was actually a network issue in the end.

0 Karma

stefanlasiewski
Contributor

Spaces in the from = field work for me. I use something like COMPANY Splunk <noreply@splunk.example.org> and it works fine.

0 Karma

jonuwz
Influencer

Errno 10061 is a python socket error. It means the SMTP server received the IP packet, but the TCP stack refused it, and closed the connection.

In other words, you're smtp server isn't running, or its running on a non-standard port, or iptables is set to block the traffic, or maybe you haven't installed/configured an SMTP server/relay on your splunk box ?

0 Karma

Drainy
Champion

Well you still have spaces in the from field and I don't know if your email server is on the localhost or not, I also don't know what authentication it requires or the connectivity it has. The error you've pasted is related to the connectivity of the server, not Splunks side.

0 Karma

abhayneilam
Contributor

is this configuration ok ?

[email]
format = plain
from = Abhay the SPLUNKER
reportPaperSize = a4
reportServerURL =
subject = Splunk Alert: Test Mail From SPLUNK

I have given host = localhost also

0 Karma

Drainy
Champion

Thats a network issue and not a Splunk issue, no connection could be made suggests a firewall, URL issue. Double check you've provided the correct settings for your email server

abhayneilam
Contributor

This error is giving when I am trying to give this manually :

command="sendemail", [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: abhay.singh@xxx.com

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...