Alerting

Why is my triggered alert email not sending?

Path Finder

Hi,
I'm having an issue with my Splunk server. I'm trying to setup some alerts, and have entered all my email relay data under the email settings. As a test, I created an alert that contains the following search:

index=_internal | head 1 

The alert is triggered, but I don't receive an email. I have checked the mail relay and it seems like the message is going through. But I still don't receive anything. As another test I did the following search:

index=_internal | head 1 | sendemail to="<my email address>" format=raw sendresults=1 server=<smtp relay> footer="Sent from Splunk." from="SplunkAlerts" subject="Splunk Alert" message="The following Splunk Alert has been fired:"

When I run this search I receive the email. Is their something I'm missing in my configuration for the alerts? Any help that you can provide would be greatly appreciated.

1 Solution

Path Finder

I found the issue. It wasn't with Splunk or the mail relay. The external exchange server that we need to use (provided by our parent company) was marking it as spam. Still can't figure out why the manual search didn't get marked as spam, but the alert did; however, its working now. Thanks for all your help.

View solution in original post

Path Finder

I found the issue. It wasn't with Splunk or the mail relay. The external exchange server that we need to use (provided by our parent company) was marking it as spam. Still can't figure out why the manual search didn't get marked as spam, but the alert did; however, its working now. Thanks for all your help.

View solution in original post

Explorer

Hi @jbouch03,

How did you find this issue?

Path Finder

How did you identify that the external server was marking the email as spam. Is there a way we can search for all the spam marked emails in splunk?

Champion

Check the ~/splunk/var/log/splunk/python.log which is where all the sendemail errors will be written.

Path Finder

have you configured mail servers on splunk side ?

check the alerts.conf file.

0 Karma

Path Finder

the alert_actions.conf is configured. Is there a separate .conf file that needs to be configured?

0 Karma

Path Finder

on splunk 7.3.1 there is no such thing as an alerts.conf file

0 Karma

SplunkTrust
SplunkTrust

Anything suspicious in index=_internal source=*python.log?

0 Karma

Path Finder

As far as I can tell everything looks correct. I get the INFO statements but I don't see any ERROR or WARN flags.

0 Karma