Alerting

Unable to trigger alert from splunk - Name or service not known while sending mail

splunker12er
Motivator

I cannot able to trigger alerts from splunk.

Splunk Version : 6.1

Below is the error message that i can see in :

source="/opt/splunk/var/log/splunk/python.log"

Eg email : myemailid@domain.net

alert_actions.conf

[email]
mailserver = smtp.domain.net
reportServerEnabled = 0
reportServerURL = 
from = Splunk

commands.conf

[sendemail]
filename = sendemail.py
streaming = false
run_in_preview = false
passauth = true
required_fields = 
changes_colorder = false
supports_rawargs = true

ERROR Logs:

2014-06-20 09:20:02,244 +0000 ERROR sendemail:348 - [Errno -2] Name or service not known while sending mail to: myemailid@domain.net
2014-06-20 09:20:02,243 +0000 ERROR sendemail:112 - Sending email. subject="Splunk Alert: Top five sourcetypes", results_link="htt://splunkservername:8000/app/search/@go?sid=scheduler__nobody__search__RMD5d5bc9be9473d1026_at_1403256000_14627", recipients="[u'myemailid@domain.net]"
Tags (2)
0 Karma

evinasco
Communicator

could somebody fix this issue?

0 Karma

brod_geico
Path Finder

I have similar issues can some one tell me what was the fix for this

0 Karma

MuS
Legend

Hi splunker12er,

looking at the sendemail.py script, your saved search fails during the try: to send the email. Actually at the moment, when the smtp auth user is checked.

  • Did you double check all the settings related to sending emails?
  • Increase the EmailSender system logging channel
  • What happens if you use the working search as saved search, does this send the email? Meaning, take the |sendemail to="myemailid@domain.net" smtp="smtp.domain.net" sendresults=true format=html search and run it as saved search.

cheers, MuS

0 Karma

splunker12er
Motivator

error Log:

ERROR sendemail:348 - please run connect() first while sending mail to: myemailid@domain.net

0 Karma

splunker12er
Motivator

I removed the smtp server name from the "Email Settings" page in Splunk Web.
(Point 3) When i save my search appended with the | sendemail command it works great.

But, when i use only my search query it doesnt send email.

0 Karma

splunker12er
Motivator

When I use my query appended with ,
|sendemail to="myemailid@domain.net" smtp="smtp.domain.net" sendresults=true format=html

But why doesn't work with saved searches , i am confused

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...