Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

alert_actions.conf suddenly appears at SPLUNK_HOME/etc/apps/[appname]/local/

mufthmu
Path Finder
‎12-23-2020 08:52 AM

Hi Fellow Splunkers,

I have an issue with triggered alerts failing to send email with authentication error (I use smtp). I found out that alert_actions.conf was mysteriously created under SPLUNK_HOME/etc/apps/[appname]/local/ with below stanza:

[email]
auth_password = encrypted value

This value takes precedence over system/local/alert_actions.conf and is the main reason why emails are not getting sent. These issues only come in my custom apps, search app is working as it should.

This is a splunk cluster with 3 search heads, this issue is seen in every search head and local/alert_actions.conf is always automatically created even after I deleted them. Note that I always push changes from master node, so I can't explain why is there a file in my custom apps under /local/ directories.

Any input would be appreciated, thank you!

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...